Further information: I do have:
ldap_netgroup_search_base = cn=ng,cn=compat,dc=validdomain,dc=com In /etc/sssd/sssd.conf Is cn=ng,cn=compat correct? --Jason On Tue, Jul 10, 2012 at 2:15 PM, KodaK <sako...@gmail.com> wrote: > I'm running IPA 2.2.0 on RHEL6 > > Server: > > [root@validserver ~]# rpm -qa | grep ipa > ipa-client-2.2.0-16.el6.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > libipa_hbac-python-1.8.0-32.el6.x86_64 > ipa-python-2.2.0-16.el6.x86_64 > ipa-server-2.2.0-16.el6.x86_64 > ipa-server-selinux-2.2.0-16.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > python-iniparse-0.3.1-2.1.el6.noarch > libipa_hbac-1.8.0-32.el6.x86_64 > ipa-admintools-2.2.0-16.el6.x86_64 > > Client: > > [root@validhost ~]# rpm -qa | grep ipa > ipa-client-2.2.0-16.el6.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > libipa_hbac-python-1.8.0-32.el6.x86_64 > ipa-python-2.2.0-16.el6.x86_64 > ipa-server-2.2.0-16.el6.x86_64 > ipa-server-selinux-2.2.0-16.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > python-iniparse-0.3.1-2.1.el6.noarch > libipa_hbac-1.8.0-32.el6.x86_64 > ipa-admintools-2.2.0-16.el6.x86_64 > > My sudo-ldap.conf file: > > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com > bindpw validpassword > > ssl start_tls > tls_cacertfile /etc/ipa/ca.crt > tls_checkpeer yes > > bind_timelimit 5 > timelimit 15 > > uri ldap://validserver ldap://validserver2 > sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com > > What I'm trying to do: I have a group of users that I'd like to have > restart apache on a group of hosts. > > What I've done: created a user group, created a group of hosts (in a > grouplist.) > > I can successfully run sudo in any configuration, *except* when using > a host group. When I try I get: > > Sorry, user validuser is not allowed to execute > '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com. > > I can edit the same rule, change the host group (that only contains > two hosts) and specify the two hosts directly and it works fine. > > Can someone else just try this and see if I've hit a bug? I'm certain > I couldn't have messed up creating the host group, but I suppose it's > possible. > > I get the same behavior when I try a simple "/bin/cat" command through > sudo, too. > > Is there a special config for using host groups? I suspect I may have > missed some obvious documentation. > > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users