In the CentOS/RHEL 7 version of sssd, a NIS netgroup is created automatically in the IPA compat tree under 'cn=ng,cn=compat,$suffix' because sudo has no understanding of hostgroups.

You should be able to query this on a client with

      # getent netgroup office

This should return nisNetgroupTriple for each host in the hostgroup

(ipa-client-1.example.com,-,example.com) (ipa-client-2.example.com,-,example.com)

I would check this in your environment between working and non-working systems.

I believe in later versions of sssd they added IPA sudo schema support to eliminate the need for the compat tree so this could be related to the issue if newer ubuntu clients are not working but CentOS is working.

What version of sssd are you running?

Kind regards,

Justin Stephenson

On 08/12/2016 02:35 PM, Jeff Goddard wrote:
I made the edit as suggested - removing nis and just leaving sss - restarted sssd and then re-tried. I also tried with files sss. Still getting the same result.

Thanks,

Jeff

On Fri, Aug 12, 2016 at 2:27 PM, Justin Stephenson <jstep...@redhat.com <mailto:jstep...@redhat.com>> wrote:

    This looks suspicious

        /Aug 12 08:45:00 sudo[31732] val[0]=+office//
        //Aug 12 08:45:00 sudo[31732] -> addr_matches @
        /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:195//
        //Aug 12 08:45:00 sudo[31732] -> addr_matches_if @
        /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:56//
        //Aug 12 08:45:00 sudo[31732] <- addr_matches_if @
        /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:66
        := false//
        //Aug 12 08:45:00 sudo[31732] IP address +office matches local
        host: false @ addr_matches()
        /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:206//
        //Aug 12 08:45:00 sudo[31732] <- addr_matches @
        /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:207
        := false//
        //Aug 12 08:45:00 sudo[31732] -> netgr_matches @
        /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1015//
        //Aug 12 08:45:00 sudo[31732] -> sudo_getdomainname @
        /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:953//
        //Aug 12 08:45:00 sudo[31732] <- sudo_getdomainname @
        /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:992 :=
        (null)//
        //Aug 12 08:45:00 sudo[31732] netgroup office matches
        (//docker-dev-01.internal.emerlyn.com
        
<http://docker-dev-01.internal.emerlyn.com>//|//docker-dev-01.internal.emerlyn.com
        <http://docker-dev-01.internal.emerlyn.com>//, jgoddard, ):
        false @ netgr_matches()
        /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1041//
        //Aug 12 08:45:00 sudo[31732] <- netgr_matches @
        /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:1044 :=
        false//
        //Aug 12 08:45:00 sudo[31732] -> hostname_matches @
        /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:819//
        //Aug 12 08:45:00 sudo[31732] host
        //docker-dev-01.internal.emerlyn.com
        <http://docker-dev-01.internal.emerlyn.com>//matches sudoers
        pattern +office: false @ hostname_matches()
        /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:829//
        //Aug 12 08:45:00 sudo[31732] <- hostname_matches @
        /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match.c:830 :=
        false//
        //Aug 12 08:45:00 sudo[31732] sssd/ldap sudoHost '+office' ...
        not//
        //Aug 12 08:45:00 sudo[31732] <- sudo_sss_check_host @
        /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/sssd.c:687 :=
        false/

    It doesn't seem to find this host as part of the hostgroup, I
    suspect the problem is because of this entry in nsswitch:

         netgroup:       nis sss

    Could you try just 'sss' or 'files sss' ?

    A successful hostgroup match should look something like this instead:

            /Aug 12 14:20:32 sudo[25075] val[0]=+nonproduction//
            //Aug 12 14:20:32 sudo[25075] -> addr_matches @
            ./match_addr.c:190//
            //Aug 12 14:20:32 sudo[25075] -> addr_matches_if @
            ./match_addr.c:62//
            //Aug 12 14:20:32 sudo[25075] <- addr_matches_if @
            ./match_addr.c:100 := false//
            //Aug 12 14:20:32 sudo[25075] <- addr_matches @
            ./match_addr.c:200 := false//
            //Aug 12 14:20:32 sudo[25075] ->
            sudo_sss_ipa_hostname_matches @ ./sssd.c:558//
            //Aug 12 14:20:32 sudo[25075] -> hostname_matches @
            ./match.c:740//
            //Aug 12 14:20:32 sudo[25075] <- hostname_matches @
            ./match.c:751 := false//
            //Aug 12 14:20:32 sudo[25075] -> netgr_matches @
            ./match.c:856//
            //Aug 12 14:20:32 sudo[25075]
            (rhel7-ipa-client.example.com
            <http://rhel7-ipa-client.example.com>, *, example.com
            <http://example.com>) found in netgroup nonproduction//
            //Aug 12 14:20:32 sudo[25075] <- netgr_matches @
            ./match.c:909 := true//
            //Aug 12 14:20:32 sudo[25075] IPA hostname
            (rhel7-ipa-client.example.com
            <http://rhel7-ipa-client.example.com>) matches
            +nonproduction => true//
            //Aug 12 14:20:32 sudo[25075] <-
            sudo_sss_ipa_hostname_matches @ ./sssd.c:569 := true//
            //Aug 12 14:20:32 sudo[25075] sssd/ldap sudoHost
            '+nonproduction' ... MATCH!//
            //Aug 12 14:20:32 sudo[25075] <- sudo_sss_check_host @
            ./sssd.c:614 := true/

    Kind regards,
    Justin Stephenson









-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to