Thank you for the link. I had the nisdomainname set to the hostname of the directory server. I changed it to the domain (example.com instead of dir1.example.com) and that seems to have corrected my issue. Thank you so much!
I have it set in /etc/rc.d/rc.local so that it comes up on boot but i was reading that setting NISDOMAIN in /etc/sysconfig/network might be a better place for it. Are there any pros/cons? On Thu, May 7, 2015 at 3:43 PM, Rob Crittenden <[email protected]> wrote: > Dmitri Pal wrote: >> On 05/07/2015 03:07 PM, Megan . wrote: >>> I'm having an issue where user's can't use sudo commands on ipa client >>> hosts. I previously thought my issues with sudo were related to the >>> type of commands, but I've narrowed it down to an issue with using >>> host groups in the sudo rule access list instead of listing the hosts >>> directly. When I use the host group with the host in it, my user >>> cannot run the sudo commands on the host. >>> >>> I have multiple debugs on in my sssd.conf and I have a ton of log >>> files but i'm not sure what will be useful in helping me troubleshoot. >>> >>> IPA client 3.0.0 >>> Centos 6.6 >>> >>> >>> To reproduce: >>> >>> Add in sudo command >>> Create command group >>> Create host group >>> Add host into host group >>> create sudo rule >>> use user groups, host groups, and sudo command groups to create rule >>> >>> Go onto client server >>> clear out /var/lib/sss/db >>> restart sssd >>> test sudo for a user in the user group >>> >>> Test will fail. >>> >>> If i do the same steps and just list the hosts for the sudo rule >>> access, and not the host groups, the sudo commands works fine for the >>> user. >>> >>> >>> When i'm using host groups in the sssd_EXAMPLE.COM.log i see what >>> looks like a successful check for the host in the host group. My >>> hostgroup is uatcluster: >>> >>> (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] >>> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse >>> domain SID from [(null)] >>> (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] >>> [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute >>> while id-mapping. [0][Success] >>> (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] >>> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse >>> domain SID from [(null)] >>> (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [acctinfo_callback] >>> (0x0100): Request processed. Returned 0,0,Success >>> (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] >>> [be_get_account_info] (0x0100): Got request for >>> [4100][1][name=uatcluster] >>> (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [acctinfo_callback] >>> (0x0100): Request processed. Returned 0,0,Success >>> (Thu May 7 18:57:09 2015) [sssd[be[EXAMPLE.COM]]] [cleanup_groups] >>> (0x0200): Found 3 expired group entries! >>> >>> >>> i tried to recreate all of my host groups, and uninstall and reinstall >>> the ipa client on one of my hosts. Nothing seems to fix the issue. >>> I'm not really sure where to go from here. It took me 4 days to >>> figure get this far. I'm only mostly sure this is the issue. >>> >>> >>> Thanks in advance for any help. >>> >> >> What version are you using? >> This sounds familiar. I vaguely remember a bug being fixed in this area >> some time ago. >> > > Make sure nisdomainname is set to your domain. > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/sudo.html#sudo-nis > > rob > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
