I made the edit as suggested - removing nis and just leaving sss - restarted sssd and then re-tried. I also tried with files sss. Still getting the same result.
Thanks, Jeff On Fri, Aug 12, 2016 at 2:27 PM, Justin Stephenson <[email protected]> wrote: > This looks suspicious > > *Aug 12 08:45:00 sudo[31732] val[0]=+office* > *Aug 12 08:45:00 sudo[31732] -> addr_matches @ > /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:195* > *Aug 12 08:45:00 sudo[31732] -> addr_matches_if @ > /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:56* > *Aug 12 08:45:00 sudo[31732] <- addr_matches_if @ > /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:66 := false* > *Aug 12 08:45:00 sudo[31732] IP address +office matches local host: false > @ addr_matches() > /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:206* > *Aug 12 08:45:00 sudo[31732] <- addr_matches @ > /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:207 := false* > *Aug 12 08:45:00 sudo[31732] -> netgr_matches @ > /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1015* > *Aug 12 08:45:00 sudo[31732] -> sudo_getdomainname @ > /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:953* > *Aug 12 08:45:00 sudo[31732] <- sudo_getdomainname @ > /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:992 := (null)* > *Aug 12 08:45:00 sudo[31732] netgroup office matches > (**docker-dev-01.internal.emerlyn.com > <http://docker-dev-01.internal.emerlyn.com>**|**docker-dev-01.internal.emerlyn.com > <http://docker-dev-01.internal.emerlyn.com>**, jgoddard, ): false @ > netgr_matches() /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1041* > *Aug 12 08:45:00 sudo[31732] <- netgr_matches @ > /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1044 := false* > *Aug 12 08:45:00 sudo[31732] -> hostname_matches @ > /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:819* > *Aug 12 08:45:00 sudo[31732] host **docker-dev-01.internal.emerlyn.com > <http://docker-dev-01.internal.emerlyn.com>** matches sudoers pattern > +office: false @ hostname_matches() > /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:829* > *Aug 12 08:45:00 sudo[31732] <- hostname_matches @ > /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:830 := false* > *Aug 12 08:45:00 sudo[31732] sssd/ldap sudoHost '+office' ... not* > *Aug 12 08:45:00 sudo[31732] <- sudo_sss_check_host @ > /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/sssd.c:687 := false* > > It doesn't seem to find this host as part of the hostgroup, I suspect the > problem is because of this entry in nsswitch: > > netgroup: nis sss > > Could you try just 'sss' or 'files sss' ? > > A successful hostgroup match should look something like this instead: > > *Aug 12 14:20:32 sudo[25075] val[0]=+nonproduction* > *Aug 12 14:20:32 sudo[25075] -> addr_matches @ ./match_addr.c:190* > *Aug 12 14:20:32 sudo[25075] -> addr_matches_if @ ./match_addr.c:62* > *Aug 12 14:20:32 sudo[25075] <- addr_matches_if @ ./match_addr.c:100 := > false* > *Aug 12 14:20:32 sudo[25075] <- addr_matches @ ./match_addr.c:200 := false* > *Aug 12 14:20:32 sudo[25075] -> sudo_sss_ipa_hostname_matches @ > ./sssd.c:558* > *Aug 12 14:20:32 sudo[25075] -> hostname_matches @ ./match.c:740* > *Aug 12 14:20:32 sudo[25075] <- hostname_matches @ ./match.c:751 := false* > *Aug 12 14:20:32 sudo[25075] -> netgr_matches @ ./match.c:856* > *Aug 12 14:20:32 sudo[25075] (rhel7-ipa-client.example.com > <http://rhel7-ipa-client.example.com>, *, example.com <http://example.com>) > found in netgroup nonproduction* > *Aug 12 14:20:32 sudo[25075] <- netgr_matches @ ./match.c:909 := true* > *Aug 12 14:20:32 sudo[25075] IPA hostname (rhel7-ipa-client.example.com > <http://rhel7-ipa-client.example.com>) matches +nonproduction => true* > *Aug 12 14:20:32 sudo[25075] <- sudo_sss_ipa_hostname_matches @ > ./sssd.c:569 := true* > *Aug 12 14:20:32 sudo[25075] sssd/ldap sudoHost '+nonproduction' ... > MATCH!* > *Aug 12 14:20:32 sudo[25075] <- sudo_sss_check_host @ ./sssd.c:614 := true* > > Kind regards, > Justin Stephenson > > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
