Dmitri Pal wrote: > On 05/07/2015 03:07 PM, Megan . wrote: >> I'm having an issue where user's can't use sudo commands on ipa client >> hosts. I previously thought my issues with sudo were related to the >> type of commands, but I've narrowed it down to an issue with using >> host groups in the sudo rule access list instead of listing the hosts >> directly. When I use the host group with the host in it, my user >> cannot run the sudo commands on the host. >> >> I have multiple debugs on in my sssd.conf and I have a ton of log >> files but i'm not sure what will be useful in helping me troubleshoot. >> >> IPA client 3.0.0 >> Centos 6.6 >> >> >> To reproduce: >> >> Add in sudo command >> Create command group >> Create host group >> Add host into host group >> create sudo rule >> use user groups, host groups, and sudo command groups to create rule >> >> Go onto client server >> clear out /var/lib/sss/db >> restart sssd >> test sudo for a user in the user group >> >> Test will fail. >> >> If i do the same steps and just list the hosts for the sudo rule >> access, and not the host groups, the sudo commands works fine for the >> user. >> >> >> When i'm using host groups in the sssd_EXAMPLE.COM.log i see what >> looks like a successful check for the host in the host group. My >> hostgroup is uatcluster: >> >> (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] >> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse >> domain SID from [(null)] >> (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] >> [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute >> while id-mapping. [0][Success] >> (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] >> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse >> domain SID from [(null)] >> (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [acctinfo_callback] >> (0x0100): Request processed. Returned 0,0,Success >> (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] >> [be_get_account_info] (0x0100): Got request for >> [4100][1][name=uatcluster] >> (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [acctinfo_callback] >> (0x0100): Request processed. Returned 0,0,Success >> (Thu May 7 18:57:09 2015) [sssd[be[EXAMPLE.COM]]] [cleanup_groups] >> (0x0200): Found 3 expired group entries! >> >> >> i tried to recreate all of my host groups, and uninstall and reinstall >> the ipa client on one of my hosts. Nothing seems to fix the issue. >> I'm not really sure where to go from here. It took me 4 days to >> figure get this far. I'm only mostly sure this is the issue. >> >> >> Thanks in advance for any help. >> > > What version are you using? > This sounds familiar. I vaguely remember a bug being fixed in this area > some time ago. >
Make sure nisdomainname is set to your domain. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/sudo.html#sudo-nis rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
