I checked that and it is set correctly:
[user1@host1 ~]$ nisdomainname my_domain.com If I try to run a command with the hosts specified indirectly through a host group, it fails: [user1@host1 ~]$ sudo -i -u serv_account LDAP Config Summary =================== uri ldap://ipa_server.my_domain.com ldap_version 3 sudoers_base ou=SUDOers,dc=my_domain,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com bindpw ********** bind_timelimit 5000 timelimit 15 ssl start_tls tls_checkpeer (yes) tls_cacertfile /etc/ipa/ca.crt =================== sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_checkpeer -> 1 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: timelimit -> 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com sudo: ldap sudoHost '+hgroup1' ... not sudo: ldap search 'sudoUser=+*' sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x40 [sudo] password for user1: Sorry, try again. [sudo] password for user1: sudo: 1 incorrect password attempt But if I remove the host group from the sudo rule and directly add the hosts that were in the host group, it works fine: <snip> sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH! sudo: ldap sudoRunAsUser 'serv_account' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for user1: [serv_account@host1 ~]$ So something isn't lining up correctly with host groups in sudo rules somewhere. I just haven't been able to track it down. Thanks, -Mark ________________________________________________________________ Mark Tovey - UNIX Engineer | Service Strategy & Design UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com<mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2 From: James Hogarth [mailto:james.hoga...@gmail.com] Sent: Monday, July 15, 2013 1:11 PM To: Tovey, Mark Subject: Re: [Freeipa-users] sudo rules user and host group bugs? > > > Did anyone find a solution for this? I am having the same experience. > > > Wow that was a mess... To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA domain.
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users