Ronald Wimmer via FreeIPA-users wrote: > On 29.06.23 09:52, Sam Morris via FreeIPA-users wrote: >> On 29/06/2023 07:31, Ronald Wimmer via FreeIPA-users wrote: >>> Is a correct hostname (FQDN) required for sudo rules to work properly? >>> >>> I do have a host where the hostname is set to its shortname. My user >>> is allowed to perform sudo on this host (as it is a member of the >>> admin group which is allowed to do everything on every host) but >>> another user (who is not member of the admin group) cannot perform >>> sudo on this particular host. (according to IPA this user should be >>> able to use sudo) >>> >>> My suspicion is that this might have to do with the hostname >>> incorrectly set to its shortname and not to its FQDN. >> >> See https://docs.pagure.org/sssd.sssd/users/sudo_troubleshooting.html >> for how to enable sudo and sssd-sudo logs - you should be able to see >> how sudo evaluates the rules recieved from the directory with the >> information from the logs. > > In this particular case it does not help me as the IPA client is an AIX > 7.3 machine that does not have SSSD.
I'm afraid there isn't a lot we can do then. You'll need to see what debugging capabilities AIX sudo-ldap has. A typical sudoers entry with one command and a host will look like: dn: cn=test,ou=sudoers,dc=example,dc=test objectClass: sudoRole objectClass: top sudoHost: ipa.example.test sudoCommand: /usr/bin/less cn: test I think your suspicion about the non-qualified hostname is probably right. I have no idea on how to work around it other than changing the hostname. The ou=sudoers entry is generated in the compat tree so not directly modifiable. The sudorule entry uses memberof (ipa treats it as memberhost) to point to a host entry which by definition is a fqdn. If you're feeling ambitious then you might be able to add an IPA host with fqdn=shortname using ldapmodify. I don't know if that would cause other problems like being able to manage that host in the API. If there is already an IPA host with the FQDN this will not work as the API expects to get only one entry back on some searches and will fail spectacularly if you search on shortname. So at first glance your choices are: 1. change the hostname 2. do a lot of weird, unsupported changes to IPA LDAP in hopes that this one host works. And remember when and why you did them. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
