On 10/17/2012 07:26 AM, Macklin, Jason wrote:

   Rule name: test4
   Enabled: TRUE
   Command category: all
   Users: asteinfeld
   Hosts: dbduwdu062.dbr.roche.com
   Host Groups: tempsudo

Client dbduwdu062 is matched in the rule by both the hosts and groups entry.

/etc/nsswitch.conf has:

        Netgroups: files sss

Getent netgroup tempsudo returns:

        [jmacklin@dbduwdu062 Desktop]$ getent netgroup tempsudo
        tempsudo              (dbduwdu063.dbr.roche.com, -, dbr.roche.com) 
(dbduwdu062.dbr.roche.com, -, dbr.roche.com)

To the previous ldapsearch request:

        [jmacklin@dbduwdu062 Desktop]$ ldapsearch -Y GSSAPI -H 
ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com"
        SASL/GSSAPI authentication started
        ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
        additional info: Entry permanently locked.

I am still scratching my head on this one...

This means you cannot search using your kerberos ticket because the corresponding entry is locked. Try using directory manager:

ldapsearch -x -D "cn=directory manager" -W -H ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com"


If you look closely, the reason that your admin works is because it appears to be 
matching a sudo rule who has the "ALL" hosts value set.

When you run the non working user, it is attempting to match the 
hostname/hostgroup to the rule and fails to do so.

Try this. Type: getent netgroup hostgroupname<- your host's hostgroup goes 

^ that command should return all of the hosts in your hostgroup. If it does 
not, then check /etc/nsswitch.conf and make sure that netgroup is set to use 

You will also need to make sure that the output of: domainname or nisdomainname 
matches your expected domain.

Let me know how things look after trying that.

Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to