When I become the user in question I see the following in the sssd log.

            [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule 
[test]

I think this is a sudo problem before anything else.  For a user in which sudo 
works, host_matches = 1 always returns when debugging is on.  For a user that 
does not work host_matches always equals 0 (zero).

I am open to troubleshooting the ldap configuration as I am not convinced that 
it is referencing the host properly.  I enroll the clients using FQDN, but 
noticed that initially, domainname and nisdomainname qould return (none).  
Fixing these to show the correct domain did not change the behavior of the 
nodes though.

Thanks again!

Jason

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Monday, October 15, 2012 5:58 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Sudo works for full access, but not on a per 
command or host level.

On 10/15/2012 04:46 PM, Dmitri Pal wrote:
On 10/15/2012 04:34 PM, Macklin, Jason wrote:
Hi,

I apologize up front if this is obvious, but I'm having issues configuring sudo 
privileges.

I currently have an IPA server running FreeIPA 2.2 with sudo configured for our 
administrators on all hosts.  This works fantastic!  As soon as I attempt to 
configure a more specific sudo rule it does not work.  In my troubleshooting, I 
have noticed that from the same host my admin level privileges work, but with 
another user account setup to just run one command, it fails.  I have turned on 
sudo debugging and the only thing I can find that looks out of sorts is the 
following:

sudo: host_matches=0

As soon as I move the user account that is failing into the admin group it 
starts to work.

I have attempted every iteration of sudo configuration on the server that I can 
think of.  I have setup HBAC and given that a shot as well.  At this point I'm 
completely stumped and would appreciate any help that I can get!

What does sudo test return?

Yes I meant HBAC. I might confused you and myself so let us start over.

First we need to make sure that the authentication happens correctly so if HBAC 
is set to allow you should see in the SSSD log that access is granted. That 
will limit the problem to just SUDO. If you have the allow_all HBAC rule and no 
other rules then we can probably skip this step and move on to trying to solve 
the actual SUDO part.

So with SUDO one of the known issues is the long vs short hostname. Do you by 
any chance use a short host name for that host?
If names are FQDN the next step would be to use ldapsearch from the client and 
see what LDAP entries the server would return.



Thank you in advance for your assistance,
Jason




_______________________________________________

Freeipa-users mailing list

Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users




--

Thank you,

Dmitri Pal



Sr. Engineering Manager for IdM portfolio

Red Hat Inc.





-------------------------------

Looking to carve out IT costs?

www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>








_______________________________________________

Freeipa-users mailing list

Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users




--

Thank you,

Dmitri Pal



Sr. Engineering Manager for IdM portfolio

Red Hat Inc.





-------------------------------

Looking to carve out IT costs?

www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to