I'm having an issue where user's can't use sudo commands on ipa client
hosts.  I previously thought my issues with sudo were related to the
type of commands, but I've narrowed it down to an issue with using
host groups in the sudo rule access list instead of listing the hosts
directly.  When I use the host group with the host in it, my user
cannot run the sudo commands on the host.

I have multiple debugs on in my sssd.conf and I have a ton of log
files but i'm not sure what will be useful in helping me troubleshoot.

IPA client 3.0.0
Centos 6.6


To reproduce:

Add in sudo command
Create command group
Create host group
Add host into host group
create sudo rule
use user groups, host groups, and sudo command groups to create rule

Go onto client server
clear out /var/lib/sss/db
restart sssd
test sudo for a user in the user group

Test will fail.

If i do the same steps and just list the hosts for the sudo rule
access, and not the host groups, the sudo commands works fine for the
user.


When i'm using host groups in the sssd_EXAMPLE.COM.log i see what
looks like a successful check for the host in the host group.  My
hostgroup is uatcluster:

(Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
[sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute
while id-mapping. [0][Success]
(Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]]
[be_get_account_info] (0x0100): Got request for
[4100][1][name=uatcluster]
(Thu May  7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Thu May  7 18:57:09 2015) [sssd[be[EXAMPLE.COM]]] [cleanup_groups]
(0x0200): Found 3 expired group entries!


i tried to recreate all of my host groups, and uninstall and reinstall
the ipa client on one of my hosts.  Nothing seems to fix the issue.
I'm not really sure where to go from here.  It took me 4 days to
figure get this far.  I'm only mostly sure this is the issue.


Thanks in advance for any help.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to