Alexandre Ellert wrote:
Hi,

I'm trying to get working a sudo rule for a group of user, basically if want to 
allow all the developers (dev-users) to become root on developers servers 
(dev-servers).
When this rule is applied to a single host or all hosts or severals named host, 
it works fine : dev-users can sudo without prompting for a password (I have 
sudo option !authenticate)
But if I apply the rule to the dev-servers group, it doesn't work : when a 
member of dev-users try to sudo, it prompt for a password and even the password 
is correct, password is asked again.

I use ipa-server-3.0.0-26.el6_4.4 and RHEL 6 and a custom Debian package for 
clients (based on freeipa 3.0.2).
I checked /etc/sudo-ldap.conf, /etc/nsswitch.conf and /etc/rc.local on clients 
and everything seems correct.

Do i missed something ?

Thanks for your help.

hostgroups are visible as netgroups on client machines, so you need a working netgroups configuration. You should have sss as a provider for netgroup in /etc/nsswitch.conf and you need to set the NIS domain name via nisdomainname (to match your domain name).

You can test fetching a hostgroup as a netgroup with: getent netgroup dev-users. It should look something like:

dev-users (host1.example.com,-,example.com) (host2.example.com,-,example.com)

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to