Sorry, for some reason gmail makes me forget about "reply all." On Wed, Jun 5, 2013 at 2:45 PM, Dmitri Pal <d...@redhat.com> wrote:
> On 06/05/2013 11:20 AM, KodaK wrote: > > I know this has been discussed before, but I didn't see anything with a > cursory search. > > There are bugs when using user and host groups with sudo rules. I have to > split out my users and hosts into individual entries. I'm running ipa > 3.0.0-26 on RHEL. > > All I really want to know is if this is fixed upstream. > > > I am not sure I recall a bug you are referring to. A quick scan against > the open tickets does not reveal anything like what you describe. > Can you provide the description of the issue or point to the earlier > thread on the matter? > > I'm going off of memory on seeing the previous bug. It very well could be a false memory. I have a rule like this: [jebalicki@mo0033802 ~]$ ipa sudorule-show esolutions-sandbox-root-access Rule name: esolutions-sandbox-root-access Enabled: TRUE Users: slfries, awellard Hosts: slnessbxl01.unix.magellanhealth.com Sudo Allow Commands: /bin/su - This works. However, if I change the rule to use hostgroups instead of listing the hosts individually the rule will not work. The groups still exist and look like this: [jebalicki@mo0033802 ~]$ ipa hostgroup-show esolutions-sandbox-hosts Host-group: esolutions-sandbox-hosts Description: esolutions sandbox hosts Member hosts: slnessbxl01.unix.magellanhealth.com Member of HBAC rule: esolutions-sandbox-access [jebalicki@mo0033802 ~]$ ipa group-show esolutions Group name: esolutions Description: esolutions group GID: 1115600250 Member users: awellard, slfries Member of HBAC rule: esolutions-sandbox-access Client machine is pretty much default-out-of-the-box IRT IPA configuration, here's the installer output (installs during kickstart): [root@slnessbxl01 ~]# cat ks-post.log Discovery was successful! Hostname: slnessbxl01.unix.magellanhealth.com Realm: UNIX.MAGELLANHEALTH.COM <http://unix.magellanhealth.com/> DNS Domain: UNIX.MAGELLANHEALTH.COM <http://unix.magellanhealth.com/> IPA Server: slpidml01.unix.magellanhealth.com BaseDN: dc=unix,dc=magellanhealth,dc=com Synchronizing time with KDC... Enrolled in IPA realm UNIX.MAGELLANHEALTH.COM<http://unix.magellanhealth.com/> Created /etc/ipa/default.conf New SSSD config will be created. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm UNIX.MAGELLANHEALTH.COM<http://unix.magellanhealth.com/> Warning: Hostname (slnessbxl01.unix.magellanhealth.com) not found in DNS DNS server record set to: slnessbxl01.unix.magellanhealth.com -> 10.200.12.104 SSSD enabled NTP enabled Client configuration complete. [root@slnessbxl01 ~]# rpm -qa | grep ipa python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 [root@slnessbxl01 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.3 (Santiago) [root@slnessbxl01 ~]#
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users