On Jun 5, 2013, at 1:47 PM, KodaK wrote:

Sorry, for some reason gmail makes me forget about "reply all."

On Wed, Jun 5, 2013 at 2:45 PM, Dmitri Pal 
<d...@redhat.com<mailto:d...@redhat.com>> wrote:
On 06/05/2013 11:20 AM, KodaK wrote:
I know this has been discussed before, but I didn't see anything with a cursory 

There are bugs when using user and host groups with sudo rules.  I have to 
split out my users and hosts into individual entries.  I'm running ipa 3.0.0-26 
on RHEL.

All I really want to know is if this is fixed upstream.

I am not sure I recall a bug you are referring to. A quick scan against the 
open tickets does not reveal anything like what you describe.
Can you provide the description of the issue or point to the earlier thread on 
the matter?

I'm going off of memory on seeing the previous bug.  It very well could be a 
false memory.

I have a rule like this:

[jebalicki@mo0033802 ~]$ ipa sudorule-show esolutions-sandbox-root-access
  Rule name: esolutions-sandbox-root-access
  Enabled: TRUE
  Users: slfries, awellard
  Hosts: slnessbxl01.unix.magellanhealth.com
  Sudo Allow Commands: /bin/su -

This works.  However, if I change the rule to use hostgroups instead of listing 
the hosts individually the rule will not work.

The groups still exist and look like this:

[jebalicki@mo0033802 ~]$ ipa hostgroup-show esolutions-sandbox-hosts
  Host-group: esolutions-sandbox-hosts
  Description: esolutions sandbox hosts
  Member hosts: slnessbxl01.unix.magellanhealth.com
  Member of HBAC rule: esolutions-sandbox-access

[jebalicki@mo0033802 ~]$ ipa group-show esolutions
  Group name: esolutions
  Description: esolutions group
  GID: 1115600250
  Member users: awellard, slfries
  Member of HBAC rule: esolutions-sandbox-access

Client machine is pretty much default-out-of-the-box IRT IPA configuration, 
here's the installer output (installs during kickstart):

[root@slnessbxl01 ~]# cat ks-post.log
Discovery was successful!
Hostname: slnessbxl01.unix.magellanhealth.com
IPA Server: slpidml01.unix.magellanhealth.com
BaseDN: dc=unix,dc=magellanhealth,dc=com

Synchronizing time with KDC...

Created /etc/ipa/default.conf
New SSSD config will be created.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm UNIX.MAGELLANHEALTH.COM
Warning: Hostname (slnessbxl01.unix.magellanhealth.com) not found in DNS
DNS server record set to: slnessbxl01.unix.magellanhealth.com ->
SSSD enabled
NTP enabled
Client configuration complete.

[root@slnessbxl01 ~]# rpm -qa | grep ipa
[root@slnessbxl01 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.3 (Santiago)
[root@slnessbxl01 ~]#


Can you confirm that the output of the following commands:
1. $ domainname
* does it match your domain?
2. $ hostname
* does match match your fqdn?
3. $ getent netgroup esolutions-sandbox-hosts
* does this list your host?
4. Does /etc/nsswitch.conf contain the line: "netgroup:   files sss"?

Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or 
/etc/ldap.conf, depending on what version of RHEL/Sudo you're running):

At the top, add the line: sudoers_debug 2

Then try another sudo command. sudo -l for example.

This should result in a long list of search criteria and status.  The last few 
lines should indicate where any matches occurred.

"Keeping your head in the cloud"
JR Aquino

Senior Information Security Specialist, Technical Operations
T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365
GIAC Certified Exploit Researcher and Advanced Penetration Tester |
GIAC WebApplication Penetration Tester | GIAC Certified Incident Handler


Powering mobile workstyles and cloud services

Freeipa-users mailing list

<<inline: image002.jpg>>

Freeipa-users mailing list

Reply via email to