On 10/16/2012 10:05 AM, Macklin, Jason wrote: > > When I become the user in question I see the following in the sssd log. > > > > [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC > rule [test] > > > > I think this is a sudo problem before anything else. For a user in > which sudo works, host_matches = 1 always returns when debugging is > on. For a user that does not work host_matches always equals 0 (zero). > > >
Is there any way to see a more detailed debug log from sudo then? It should show what it is looking for and what it is getting back from the server. > I am open to troubleshooting the ldap configuration as I am not > convinced that it is referencing the host properly. I enroll the > clients using FQDN, but noticed that initially, domainname and > nisdomainname qould return (none). Fixing these to show the correct > domain did not change the behavior of the nodes though. > > > > Thanks again! > > > > Jason > > > > *From:*freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal > *Sent:* Monday, October 15, 2012 5:58 PM > *To:* freeipa-users@redhat.com > *Subject:* Re: [Freeipa-users] Sudo works for full access, but not on > a per command or host level. > > > > On 10/15/2012 04:46 PM, Dmitri Pal wrote: > > On 10/15/2012 04:34 PM, Macklin, Jason wrote: > > Hi, > > > > I apologize up front if this is obvious, but I'm having issues > configuring sudo privileges. > > > > I currently have an IPA server running FreeIPA 2.2 with sudo > configured for our administrators on all hosts. This works > fantastic! As soon as I attempt to configure a more specific sudo > rule it does not work. In my troubleshooting, I have noticed that > from the same host my admin level privileges work, but with another > user account setup to just run one command, it fails. I have turned > on sudo debugging and the only thing I can find that looks out of > sorts is the following: > > > > sudo: host_matches=0 > > > > As soon as I move the user account that is failing into the admin > group it starts to work. > > > > I have attempted every iteration of sudo configuration on the server > that I can think of. I have setup HBAC and given that a shot as > well. At this point I'm completely stumped and would appreciate any > help that I can get! > > > What does sudo test return? > > > Yes I meant HBAC. I might confused you and myself so let us start over. > > First we need to make sure that the authentication happens correctly > so if HBAC is set to allow you should see in the SSSD log that access > is granted. That will limit the problem to just SUDO. If you have the > allow_all HBAC rule and no other rules then we can probably skip this > step and move on to trying to solve the actual SUDO part. > > So with SUDO one of the known issues is the long vs short hostname. Do > you by any chance use a short host name for that host? > If names are FQDN the next step would be to use ldapsearch from the > client and see what LDAP entries the server would return. > > > > > Thank you in advance for your assistance, > > Jason > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/> > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/> > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users