That didn't work either. I set up the host group in my sudo rule, stopped sssd, renamed /var/lib/sss/db and created a new db directory, then restarted sssd. New files were created in the db directory, but it still refuses to work unless the hosts are directly specified in the sudo rule. Thanks, -Mark
________________________________________________________________ Mark Tovey - UNIX Engineer | Service Strategy & Design UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2 From: Steven Jones [mailto:steven.jo...@vuw.ac.nz] Sent: Monday, July 15, 2013 4:15 PM To: Tovey, Mark; James Hogarth Cc: Freeipa-users@redhat.com Subject: RE: [Freeipa-users] sudo rules user and host group bugs? Hi, This is a known issue Ive suffered a long time with. What would be interesting is adding another host to the host group could well work fine, that will really make you bang your head against the wall.. 2 possibilities, stop the sssd daemon on the problem host, delete its cache and start it, that might fix it. Otherwise best to, All RH support could come up with is delete the HBAC rule, sudo rule, user group and host group and re-do it, then it will probably work fine. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [freeipa-users-boun...@redhat.com] on behalf of Tovey, Mark [mto...@go2uti.com] Sent: Tuesday, 16 July 2013 10:54 a.m. To: James Hogarth Cc: Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> Subject: Re: [Freeipa-users] sudo rules user and host group bugs? I checked that and it is set correctly: [user1@host1 ~]$ nisdomainname my_domain.com If I try to run a command with the hosts specified indirectly through a host group, it fails: [user1@host1 ~]$ sudo -i -u serv_account LDAP Config Summary =================== uri ldap://ipa_server.my_domain.com ldap_version 3 sudoers_base ou=SUDOers,dc=my_domain,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com bindpw ********** bind_timelimit 5000 timelimit 15 ssl start_tls tls_checkpeer (yes) tls_cacertfile /etc/ipa/ca.crt =================== sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_checkpeer -> 1 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: timelimit -> 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com sudo: ldap sudoHost '+hgroup1' ... not sudo: ldap search 'sudoUser=+*' sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x40 [sudo] password for user1: Sorry, try again. [sudo] password for user1: sudo: 1 incorrect password attempt But if I remove the host group from the sudo rule and directly add the hosts that were in the host group, it works fine: <snip> sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH! sudo: ldap sudoRunAsUser 'serv_account' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for user1: [serv_account@host1 ~]$ So something isn't lining up correctly with host groups in sudo rules somewhere. I just haven't been able to track it down. Thanks, -Mark ________________________________________________________________ Mark Tovey - UNIX Engineer | Service Strategy & Design UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2 From: James Hogarth [mailto:james.hoga...@gmail.com] Sent: Monday, July 15, 2013 1:11 PM To: Tovey, Mark Subject: Re: [Freeipa-users] sudo rules user and host group bugs? > > > Did anyone find a solution for this? I am having the same experience. > > > Wow that was a mess... To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA domain.
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users