Re: [Freeipa-users] Help understanding issue with CentOS freeipa sudo host groups
>> [root@als-centos0002 sys-ops]# nisdomainname >> dakar.useast.hpcloud.net >> >> [root@als-centos0002 sys-ops]# getent netgroup opsauto >> opsauto >> (als-ubuntu0001.oa.ftc.hpelabs.net,-,eucalyptus.internal) >> (als-centos0002.dakar.useast.hpcloud.net,-,eucalyptus.internal) > >Your NIS domain name doesn't match. dakar.useast.hpcloud.net != >eucalyptus.internal >rob Thanks for that. I must be misunderstanding the purpose of the --domain option. -Alan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Help understanding issue with CentOS freeipa sudo host groups
I still can't find the problem after a lot of searching, can someone give me a little advice? Assembling a POC of FreeIPA 4.1.0 server (stock CentOS-7 packages) and a CentOS 6.7 server with their stock 3.0.0 packages. Sudo version on the client is sudo-1.8.6p3. Have created a general sudo rule on the IPA server to grant access to a host group. However it doesn't allow access, just a "sparksa is not allowed to run sudo on als-centos0002".If I change the rule to not use host groups, and explicitly set the hosts, it works OK. Have checked the stuff I've seen in general search, like the nisdomainname, values are set and look plausible. The sudo debug logs seem to indicate vaguely that it can't match the netgroup: Nov 18 16:07:37 sudo[15713] username=sparksa Nov 18 16:07:37 sudo[15713] domainname=(null) Nov 18 16:07:37 sudo[15713] Received 1 rule(s) Nov 18 16:07:37 sudo[15713] sssd/ldap sudoHost '+opsauto' ... not Nov 18 16:07:37 sudo[15713] Sorting the remaining entries using the sudoOrder attribute Nov 18 16:07:37 sudo[15713] searching SSSD/LDAP for sudoers entries Nov 18 16:07:37 sudo[15713] Done with LDAP searches Nov 18 16:07:37 sudo[15713] keep HOSTNAME=als-centos0002.dakar.useast.hpcloud.net: YES Nov 18 16:07:37 sudo[15713] sudo_putenv: HOSTNAME=als-centos0002.dakar.useast.hpcloud.net The setup of the client used the normal 'ipa-client-install' script.From questions asked before, some salient debugging info: [root@als-centos0002 sys-ops]# nisdomainname dakar.useast.hpcloud.net [root@als-centos0002 sys-ops]# hostname als-centos0002.dakar.useast.hpcloud.net [root@als-centos0002 sys-ops]# getent netgroup opsauto opsauto (als-ubuntu0001.oa.ftc.hpelabs.net,-,eucalyptus.internal) (als-centos0002.dakar.useast.hpcloud.net,-,eucalyptus.internal) Does anyone have any advice on what additional debug I should look at, just not sure what I'm missing. Thanks in advance. -Alan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Help understanding issue with CentOS freeipa sudo host groups
Sparks, Alan wrote: > I still cant find the problem after a lot of searching, can someone > give me a little advice? Assembling a POC of FreeIPA 4.1.0 server > (stock CentOS-7 packages) and a CentOS 6.7 server with their stock 3.0.0 > packages. Sudo version on the client is sudo-1.8.6p3. > > > > Have created a general sudo rule on the IPA server to grant access to a > host group. However it doesnt allow access, just a sparksa is not > allowed to run sudo on als-centos0002.If I change the rule to not > use host groups, and explicitly set the hosts, it works OK. > > > > Have checked the stuff Ive seen in general search, like the > nisdomainname, values are set and look plausible. The sudo debug logs > seem to indicate vaguely that it cant match the netgroup: > > > > Nov 18 16:07:37 sudo[15713] username=sparksa > > Nov 18 16:07:37 sudo[15713] domainname=(null) > > Nov 18 16:07:37 sudo[15713] Received 1 rule(s) > > Nov 18 16:07:37 sudo[15713] sssd/ldap sudoHost '+opsauto' ... not > > Nov 18 16:07:37 sudo[15713] Sorting the remaining entries using the > sudoOrder attribute > > Nov 18 16:07:37 sudo[15713] searching SSSD/LDAP for sudoers entries > > Nov 18 16:07:37 sudo[15713] Done with LDAP searches > > Nov 18 16:07:37 sudo[15713] keep > HOSTNAME=als-centos0002.dakar.useast.hpcloud.net: YES > > Nov 18 16:07:37 sudo[15713] sudo_putenv: > HOSTNAME=als-centos0002.dakar.useast.hpcloud.net > > > > The setup of the client used the normal ipa-client-install script. > From questions asked before, some salient debugging info: > > > > [root@als-centos0002 sys-ops]# nisdomainname > > dakar.useast.hpcloud.net > > [root@als-centos0002 sys-ops]# hostname > > als-centos0002.dakar.useast.hpcloud.net > > [root@als-centos0002 sys-ops]# getent netgroup opsauto > > opsauto > (als-ubuntu0001.oa.ftc.hpelabs.net,-,eucalyptus.internal) > (als-centos0002.dakar.useast.hpcloud.net,-,eucalyptus.internal) > > > > Does anyone have any advice on what additional debug I should look at, > just not sure what Im missing. Thanks in advance. Your NIS domain name doesn't match. dakar.useast.hpcloud.net != eucalyptus.internal rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Help understanding issue with CentOS freeipa sudo host groups
Sparks, Alan wrote: > >>> [root@als-centos0002 sys-ops]# nisdomainname >>> dakar.useast.hpcloud.net >>> >>> [root@als-centos0002 sys-ops]# getent netgroup opsauto >>> opsauto >>> (als-ubuntu0001.oa.ftc.hpelabs.net,-,eucalyptus.internal) >>> (als-centos0002.dakar.useast.hpcloud.net,-,eucalyptus.internal) >> > >> Your NIS domain name doesn't match. dakar.useast.hpcloud.net != >> eucalyptus.internal >> rob > > Thanks for that. I must be misunderstanding the purpose of the --domain > option. > -Alan > --domain in the server is the default DNS zone for the IPA installation. --domain in the client tells it where to look for the IPA server in DNS. There is no actual NIS domain but since netgroups are a NIS construct it requires something to be set. The NIS domain needs to match the IPA server domain. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project