Brian Sanders via FreeIPA-users wrote: > I have recently found out that when adding SUDO rules to my IPA server, the > host groups are not evaluated correctly. I am using the same host groups in > my HBAC and they are working correctly. If I remove the host groups from the > SUDO rule, and instead directly put the server in as an individual host, the > SUDO rule works correctly. If simply set it to allow "all" hosts, while > leaving the rest of the SUDO rule the same, it also works. > > Running a sudo command with the host groups provides the error: > > "test1 is not allowed to run sudo on srv1. This incident will be reported." > > I have turned on some debugging for SSSD and SUDO but it is extremely > verbose, and after realizing the same host groups work with HBAC, I am > skeptical this is an issue with my configuration. Anyone have some > troubleshooting or work arounds? Is there perhaps a known bug I didn't find > about this? As much as I hate it, my "right now" work around is to just > allow it on all hosts, and rely on my HBAC to determine what groups can log > into what hosts. However this isn't a true fix, just a stop gap while I look > into this. > > IPA Client versions: > ipa --version > VERSION: 4.6.8, API_VERSION: 2.237 > > IPA Server version: > ipa --version > VERSION: 4.6.8, API_VERSION: 2.237
There is no concept of hostgroups in SUDO but it does understand netgroups so hostgroups are represented as netgroups. In order for this to work your NIS domain name needs to be set properly. You can try something like: $ getent netgroup hg1 hg1 (ipa.example.test,-,example.test) nisdomainname will set the NIS domain name. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
