If you look closely, the reason that your admin works is because it appears to be matching a sudo rule who has the "ALL" hosts value set.
When you run the non working user, it is attempting to match the hostname/hostgroup to the rule and fails to do so. Try this. Type: getent netgroup hostgroupname <- your host's hostgroup goes there. ^ that command should return all of the hosts in your hostgroup. If it does not, then check /etc/nsswitch.conf and make sure that netgroup is set to use sss. You will also need to make sure that the output of: domainname or nisdomainname matches your expected domain. Let me know how things look after trying that. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 C: +1 805.717.0365 jr.aqu...@citrixonline.com<mailto:jr.aqu...@citrixonline.com> http://www.citrixonline.com On Oct 16, 2012, at 8:34 AM, "Macklin, Jason" <jason.mack...@roche.com<mailto:jason.mack...@roche.com>> wrote: Working user: [jmacklin@dbduwdu062 log]$ sudo -l LDAP Config Summary =================== uri ldap://dbduvdu145.dbr.roche.com ldap_version 3 sudoers_base ou=SUDOers,dc=dbr,dc=roche,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=dbr,dc=roche,dc=com bindpw Roche454 bind_timelimit 5000 timelimit 15 ssl start_tls tls_checkpeer (yes) tls_cacertfile /etc/ipa/ca.crt =================== sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_checkpeer -> 1 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://dbduvdu145.dbr.roche.com) sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: timelimit -> 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=dbr,dc=roche,dc=com sudo: ldap sudoHost 'ALL' ... MATCH! sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(52)=0x82 Matching Defaults entries for jmacklin on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin sudo: ldap search '(|(sudoUser=jmacklin)(sudoUser=%jmacklin)(sudoUser=%dbr)(sudoUser=%admins)(sudoUser=ALL))' sudo: ldap sudoHost 'ALL' ... MATCH! sudo: ldap search 'sudoUser=+*' User jmacklin may run the following commands on this host: (root) ALL Non-working user: Rule name: test4 Enabled: TRUE Command category: all Users: asteinfeld Hosts: dbduwdu062.some.domain.com<http://dbduwdu062.some.domain.com> LDAP Config Summary =================== uri ldap://dbduvdu145.dbr.roche.com ldap_version 3 sudoers_base ou=SUDOers,dc=dbr,dc=roche,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=dbr,dc=roche,dc=com bindpw Roche454 bind_timelimit 5000 timelimit 15 ssl start_tls tls_checkpeer (yes) tls_cacertfile /etc/ipa/ca.crt =================== sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_checkpeer -> 1 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldap://dbduvdu145.dbr.roche.com) sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: timelimit -> 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=dbr,dc=roche,dc=com sudo: ldap sudoHost 'dbduwdu062.dbr.roche.com<http://dbduwdu062.dbr.roche.com>' ... not sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_lookup(52)=0x84 [sudo] password for asteinfeld: Sorry, user asteinfeld may not run sudo on dbduwdu062. Cheers, Jason From: Dmitri Pal [mailto:d...@redhat.com] Sent: Tuesday, October 16, 2012 11:22 AM To: Macklin, Jason {DASB~Branford} Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level. On 10/16/2012 11:09 AM, Macklin, Jason wrote: Dmitri, I will give you everything I’ve got. If I can provide something else, let me know! Working User: Sudo debug output: [jmacklin@dbduwdu062 log]$ sudo -l sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_checkpeer -> 1 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: timelimit -> 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=dbr,dc=roche,dc=com sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(52)=0x82 [sudo] password for jmacklin: Matching Defaults entries for jmacklin on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin sudo: ldap search '(|(sudoUser=jmacklin)(sudoUser=%jmacklin)(sudoUser=%dbr)(sudoUser=%admins)(sudoUser=ALL))' sudo: ldap search 'sudoUser=+*' User jmacklin may run the following commands on this host: (root) ALL /var/log/secure output: Oct 16 11:00:03 dbduwdu062 sudo: pam_unix(sudo:auth): authentication failure; logname=jmacklin uid=0 euid=0 tty=/dev/pts/1 ruser=jmacklin rhost= user=jmacklin Oct 16 11:00:04 dbduwdu062 sudo: pam_sss(sudo:auth): authentication success; logname=jmacklin uid=0 euid=0 tty=/dev/pts/1 ruser=jmacklin rhost= user=jmacklin Oct 16 11:00:04 dbduwdu062 sudo: jmacklin : TTY=pts/1 ; PWD=/var/log ; USER=root ; COMMAND=list Non-working user: Sudo debug output: [asteinfeld@dbduwdu062 ~]$ sudo -l sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_checkpeer -> 1 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: timelimit -> 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=dbr,dc=domain,dc=com sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_lookup(52)=0x84 [sudo] password for asteinfeld: Sorry, user asteinfeld may not run sudo on dbduwdu062 /var/log/secure output: Oct 16 11:05:34 dbduwdu062 sudo: pam_unix(sudo:auth): authentication failure; logname=asteinfeld uid=0 euid=0 tty=/dev/pts/3 ruser=asteinfeld rhost= user=asteinfeld Oct 16 11:05:35 dbduwdu062 sudo: pam_sss(sudo:auth): authentication success; logname=asteinfeld uid=0 euid=0 tty=/dev/pts/3 ruser=asteinfeld rhost= user=asteinfeld Oct 16 11:05:35 dbduwdu062 sudo: asteinfeld : command not allowed ; TTY=pts/3 ; PWD=/home2/asteinfeld ; USER=root ; COMMAND=list Cheers. Jason Please set sudoers_debug 2 http://www.doxer.org/learn-linux/modify-sudoers_debug-in-ldap-conf-to-debug-sudo-on-linux-and-solaris/ From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, October 16, 2012 10:33 AM To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level. On 10/16/2012 10:05 AM, Macklin, Jason wrote: When I become the user in question I see the following in the sssd log. [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [test] I think this is a sudo problem before anything else. For a user in which sudo works, host_matches = 1 always returns when debugging is on. For a user that does not work host_matches always equals 0 (zero). Is there any way to see a more detailed debug log from sudo then? It should show what it is looking for and what it is getting back from the server. I am open to troubleshooting the ldap configuration as I am not convinced that it is referencing the host properly. I enroll the clients using FQDN, but noticed that initially, domainname and nisdomainname qould return (none). Fixing these to show the correct domain did not change the behavior of the nodes though. Thanks again! Jason From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Monday, October 15, 2012 5:58 PM To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level. On 10/15/2012 04:46 PM, Dmitri Pal wrote: On 10/15/2012 04:34 PM, Macklin, Jason wrote: Hi, I apologize up front if this is obvious, but I’m having issues configuring sudo privileges. I currently have an IPA server running FreeIPA 2.2 with sudo configured for our administrators on all hosts. This works fantastic! As soon as I attempt to configure a more specific sudo rule it does not work. In my troubleshooting, I have noticed that from the same host my admin level privileges work, but with another user account setup to just run one command, it fails. I have turned on sudo debugging and the only thing I can find that looks out of sorts is the following: sudo: host_matches=0 As soon as I move the user account that is failing into the admin group it starts to work. I have attempted every iteration of sudo configuration on the server that I can think of. I have setup HBAC and given that a shot as well. At this point I’m completely stumped and would appreciate any help that I can get! What does sudo test return? Yes I meant HBAC. I might confused you and myself so let us start over. First we need to make sure that the authentication happens correctly so if HBAC is set to allow you should see in the SSSD log that access is granted. That will limit the problem to just SUDO. If you have the allow_all HBAC rule and no other rules then we can probably skip this step and move on to trying to solve the actual SUDO part. So with SUDO one of the known issues is the long vs short hostname. Do you by any chance use a short host name for that host? If names are FQDN the next step would be to use ldapsearch from the client and see what LDAP entries the server would return. Thank you in advance for your assistance, Jason _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/> _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/> _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/> -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/> _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users