On Tue, Jul 10, 2012 at 2:56 PM, Dmitri Pal <d...@redhat.com> wrote: > On 07/10/2012 03:15 PM, KodaK wrote: >> I'm running IPA 2.2.0 on RHEL6 >> >> Server: >> >> [root@validserver ~]# rpm -qa | grep ipa >> ipa-client-2.2.0-16.el6.x86_64 >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> libipa_hbac-python-1.8.0-32.el6.x86_64 >> ipa-python-2.2.0-16.el6.x86_64 >> ipa-server-2.2.0-16.el6.x86_64 >> ipa-server-selinux-2.2.0-16.el6.x86_64 >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> python-iniparse-0.3.1-2.1.el6.noarch >> libipa_hbac-1.8.0-32.el6.x86_64 >> ipa-admintools-2.2.0-16.el6.x86_64 >> >> Client: >> >> [root@validhost ~]# rpm -qa | grep ipa >> ipa-client-2.2.0-16.el6.x86_64 >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> libipa_hbac-python-1.8.0-32.el6.x86_64 >> ipa-python-2.2.0-16.el6.x86_64 >> ipa-server-2.2.0-16.el6.x86_64 >> ipa-server-selinux-2.2.0-16.el6.x86_64 >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> python-iniparse-0.3.1-2.1.el6.noarch >> libipa_hbac-1.8.0-32.el6.x86_64 >> ipa-admintools-2.2.0-16.el6.x86_64 >> >> My sudo-ldap.conf file: >> >> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com >> bindpw validpassword >> >> ssl start_tls >> tls_cacertfile /etc/ipa/ca.crt >> tls_checkpeer yes >> >> bind_timelimit 5 >> timelimit 15 >> >> uri ldap://validserver ldap://validserver2 >> sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com >> >> What I'm trying to do: I have a group of users that I'd like to have >> restart apache on a group of hosts. >> >> What I've done: created a user group, created a group of hosts (in a >> grouplist.) >> >> I can successfully run sudo in any configuration, *except* when using >> a host group. When I try I get: >> >> Sorry, user validuser is not allowed to execute >> '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com. >> >> I can edit the same rule, change the host group (that only contains >> two hosts) and specify the two hosts directly and it works fine. >> >> Can someone else just try this and see if I've hit a bug? I'm certain >> I couldn't have messed up creating the host group, but I suppose it's >> possible. >> >> I get the same behavior when I try a simple "/bin/cat" command through >> sudo, too. >> >> Is there a special config for using host groups? I suspect I may have >> missed some obvious documentation. >>
> How do your SUDO entries look like? Rule name: test rule Options: none Who: specified users and groups Users: jebalicki User groups: none Access this host: specified users and groups Hosts: none Host groups: tds-webhosts (contains the two valid client systems) RUN COMMANDS ALLOW command category the rule applies to: specified commands and groups sudo allow commands: /bin/cat sudo allow command groups: none Nothing denied. "As whom" is left as default. > Do you see host netgroup coming over to the system when you enumerate > netgroups? I don't know how to do this at the command line. I'm googling for it. The only thing I'm even vaguely familiar with (in that it exists) is ypcat, but I thought sssd was taking care of "translating" the host groups to netgroups for sudo? I'm sorry, I'm just not familiar with NIS at all. The documentation tells me that a hidden netgroup is created, so I shouldn't need to manually specify one, right? > Does it have the two hosts you mentioned? Once I find that I'll get back to you. Thanks for taking the time. _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users