On all ubuntu flavours simple solution is to install sudo from its developement page sudo included in system does not work with groups correctly. Up to Ubuntu 16.04

From what i have seen if user is in a group that is in different group sudo on Ubuntu does not recognize the second group ( that group that the users group is member of)

Havent tested host groups but might be same case there.


W dniu 01.10.2017 o 16:58, Aaron Cole via FreeIPA-users pisze:
Hey Michael.

I have never added Ubuntu or Debian machines to an IPA server.  I have gotten 
RHEL 5/6/7, HPUX 11.31 and Solaris 10/11 machines added and working on my IPA 
servers.  So I can hope to shed some light from my troubles.  I have found that 
the issue lies with how the sudo on the server resolves it's own hostname.

Can you attempted to debug sudo?  You should be able to add a debug line 
sssd.conf in the [sudo] section.

Also have you tried to add a rule and explicitly list the server (not group)?  
This will help determine if the issue is related to the host and passing 
comparing with the FQDN or if it's having issues expanding host groups.

I'm sure you already know this, but including just in case:

 From the sssd.conf man page from Ubuntu you can have a setting in there - 
hostid_provider - make sure that is set to ipa. I'm sure this is setup from the 
installation.

The man page also states: "Note: in order to use netgroups or IPA hostgroups in 
sudo rules, you
        also need to correctly set nisdomainname(1) to your NIS domain name
        (which equals to IPA domain name when using hostgroups)."

You can also set a setting in the sssd.conf to reflect the FQDN correctly  
ipa_hostname = FQDN.  I have had to set this, due to not being able to change 
hostnames from shortname to FQDN.

Common things I have ran into / fixed  -
- hosts file is not setup correctly for the host.  The host entry for itself 
has to be setup as 10.0.0.5 ServerFQDN ServerShortname

- Set the server name to the FQDN vs shortname. If unable to set, statically 
set the hostname with the --hostname option on installation.

- Ensure that the host entry FQDN in IPA is the same as the hosts 
file/hostname.  Otherwise you can set the hostname statically in sssd.conf with

- Set the nisdomain name to IPA domain.

- Added a sudo option into the sudo rule "fqdn", to ensure the fqdn will be 
used by the hosts.

I would be more interested in what the debugging produces.

-Aaron
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

--

**
**
**
*Przemysław Orzechowski*
Network Administrator
e: przemek.orzechow...@makolab.com <mailto:przemek.orzechow...@makolab.com>
t: +48 42 683 74 97




*MakoLab*
Demokratyczna 46, 93-430 Łódź, Poland
www.makolab.com <http://www.makolab.com/>

MakoBlog <https://makoblog.com/> | Facebook <https://www.facebook.com/MakoLab.SA> | LinkedIn <https://pl.linkedin.com/company/makolab>


MakoLab SA, Demokratyczna 46, 93-430 Lodz, Poland. A joint-stock company organized and existing under the laws of Republic of Poland with a registered share capital of 707 473,00 PLN (Polish zlotys), identified in the National Court Register (Krajowy Rejestr Sądowy) conducted by the District Court for Lodz Srodmiescie in Lodz under the number KRS: 0000289179, Tax Identification Number (NIP): PL 7250015526, National Official Business Register (REGON): 471343117.

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please notify the sender and delete the material from your computer.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to