Winfried de Heiden via FreeIPA-users wrote: > Hi all, > > Awsome! OK, cannot user "ipaservers" hostgroup, but creating a new one > wil work! > > Thanks a lot! > > > Create a new hostgroup and used that one for the sudorule: > > [admin@freeipa1 ~]$ ipa sudorule-show sudo_freeipa_admins > Rule name: sudo_freeipa_admins > Enabled: TRUE > Command category: all > RunAs User category: all > RunAs Group category: all > User Groups: admins > Host Groups: freeipa-servers > > The new hostgroup has one momeber: server-group "ipaservers", makes it > easier to manage rather than adding each host: > > [admin@freeipa1 ~]$ ipa hostgroup-show freeipa-servers > Host-group: freeipa-servers > Description: https://pagure.io/freeipa/issue/7284 > Member host-groups: ipaservers > Member of Sudo rule: sudo_freeipa_admins > Indirect Member hosts: freeipa2.example.local, freeipa1.example.local > > sudo will work now! > > [admin@freeipa1 ~]$ sudo -l > Matching Defaults entries for admin on freeipa1: > !visiblepw, always_set_home, match_group_by_gid, env_reset, > env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", > env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", > env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", > env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", > env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", > secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > > User admin may run the following commands on freeipa1: > (ALL : ALL) ALL
Cool idea. I updated the ticket with your workaround in case anyone else runs into this. rob > > > Rob Crittenden schreef op 05-12-2018 14:04: >> Winfried de Heiden via FreeIPA-users wrote: >>> Hi all, >>> >>> On a brand new install, sudo for hostgroup seems not to work. Ik create >>> a sudo rule for admins, only to to "averything" on all servers within >>> the hostgroup "ipaservers": >>> >>> Rule name: s3_sudo_freeipa_admins >>> Enabled: TRUE >>> Command category: all >>> RunAs User category: all >>> RunAs Group category: all >>> User Groups: admins >>> Host Groups: ipaservers >>> >>> However, user admins is not allowed to to so: >>> >>> admin@freeipa1 <mailto:admin@freeipa1> ~]$ sudo -l >>> [sudo] password for admin: >>> Sorry, user admin may not run sudo on freeipa1. >>> >>> Removing the group but adding the two FreeIPA-servers: >>> Rule name: s3_sudo_freeipa_admins >>> Enabled: TRUE >>> Command category: all >>> RunAs User category: all >>> RunAs Group category: all >>> User Groups: admins >>> Hosts: freeipa1.example.local, freeipa2.example.local >>> >>> After cleaning the sssd-cache: >>> >>> sudo -l >>> [sudo] password for admin: >>> Matching Defaults entries for admin on freeipa1: >>> !visiblepw, always_set_home, match_group_by_gid, env_reset, >>> env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", >>> env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", >>> env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", >>> env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", >>> env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", >>> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin >>> >>> User admin may run the following commands on freeipa1: >>> (ALL : ALL) ALL >>> >>> There are not clients yet, this issues was reproduced on a brand new >>> CentOS 7.5 IPA installation with no modifications or else... >>> >>> What's hapening here? >> >> This is a bug. ipaservers is treated specially internally, see >> https://pagure.io/freeipa/issue/7284 >> >> rob > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
