Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that.
~~~~ Can you confirm that the output of the following commands: 1. $ domainname * does it match your domain? 2. $ hostname * does match match your fqdn? 3. $ getent netgroup esolutions-sandbox-hosts * does this list your host? 4. Does /etc/nsswitch.conf contain the line: "netgroup: files sss"? Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running): At the top, add the line: sudoers_debug 2 Then try another sudo command. sudo -l for example. ~~~~ For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1). Martin On 07/16/2013 06:09 AM, Tovey, Mark wrote: > > > Okay, I stopped sssd on the client and deleted the cache files, removed > the > sudo rule, started sssd and verified that the rule was gone, stopped sssd and > deleted the files again, added the rule back in, restarted sssd, and still it > does not work. One note, when I enter the hosts into the sudo rule in place > of > the host group, the effect is immediate; I do not need to restart sssd. And > the opposite is true too: if I put the host group back, the rule immediately > stops working. I don’t think the issue is cache related; it seems to be > something else. The serv_account that we are accessing with the sudo rule is > external. I wouldn’t expect that to matter, but perhaps it does? > > > > I like your idea for the labels; they make sense. Right now we are just > evaluating this to see if we want to go this route. So far we like it, but > this could be a problem because we have a several hundred hosts that we need > to > manage. Having to enter each one individually will be problematic. > > Thanks, > > -Mark > > > > * * > > *________________________________________________________________* > > *Mark Tovey - UNIX Engineer | Service Strategy & Design* > > UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | > Oregon > | 97204 | USA > > mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: > mark.tovey2 > > > > *From:*Steven Jones [mailto:steven.jo...@vuw.ac.nz] > *Sent:* Monday, July 15, 2013 4:44 PM > *To:* Tovey, Mark; James Hogarth > *Cc:* Freeipa-users@redhat.com > *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs? > > > > option b) delete the rule totally and redo it from scratch. > > I label rules like this, > > hb-xxxx for a hbac rule > > su-xxxx for a sudo rule > > sc-xxxx for a sudo command group > > ug-xxxx for a user group > > hg-xxxx for a host groups > > etc > > etc > > It makes the logic easier when you go into command line which I find easier to > trace with than the gui at time. > > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------------- > > *From:*Tovey, Mark [mto...@go2uti.com] > *Sent:* Tuesday, 16 July 2013 11:34 a.m. > *To:* Steven Jones; James Hogarth > *Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs? > > > > That didn’t work either. I set up the host group in my sudo rule, stopped > sssd, renamed /var/lib/sss/db and created a new db directory, then restarted > sssd. New files were created in the db directory, but it still refuses to > work > unless the hosts are directly specified in the sudo rule. > > Thanks, > > -Mark > > > > * * > > *________________________________________________________________* > > *Mark Tovey - UNIX Engineer | Service Strategy & Design* > > UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | > Oregon > | 97204 | USA > > mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: > mark.tovey2 > > > > *From:*Steven Jones [mailto:steven.jo...@vuw.ac.nz] > *Sent:* Monday, July 15, 2013 4:15 PM > *To:* Tovey, Mark; James Hogarth > *Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs? > > > > Hi, > > This is a known issue Ive suffered a long time with. What would be > interesting > is adding another host to the host group could well work fine, that will > really > make you bang your head against the wall.. > > 2 possibilities, stop the sssd daemon on the problem host, delete its cache > and > start it, that might fix it. > > Otherwise best to, > > All RH support could come up with is delete the HBAC rule, sudo rule, user > group and host group and re-do it, then it will probably work fine. > > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------------- > > *From:*freeipa-users-boun...@redhat.com > <mailto:freeipa-users-boun...@redhat.com> [freeipa-users-boun...@redhat.com] > on > behalf of Tovey, Mark [mto...@go2uti.com] > *Sent:* Tuesday, 16 July 2013 10:54 a.m. > *To:* James Hogarth > *Cc:* Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs? > > > > > > I checked that and it is set correctly: > > > > [user1@host1 ~]$ nisdomainname > > my_domain.com > > > > If I try to run a command with the hosts specified indirectly through a > host group, it fails: > > > > [user1@host1 ~]$ sudo -i -u serv_account > > LDAP Config Summary > > =================== > > uri ldap://ipa_server.my_domain.com > > ldap_version 3 > > sudoers_base ou=SUDOers,dc=my_domain,dc=com > > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com > > bindpw ********** > > bind_timelimit 5000 > > timelimit 15 > > ssl start_tls > > tls_checkpeer (yes) > > tls_cacertfile /etc/ipa/ca.crt > > =================== > > sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com) > > sudo: ldap_set_option: debug -> 0 > > sudo: ldap_set_option: ldap_version -> 3 > > sudo: ldap_set_option: tls_checkpeer -> 1 > > sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt > > sudo: ldap_set_option: timelimit -> 15 > > sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) > > > > sudo: ldap_start_tls_s() ok > > sudo: ldap_sasl_bind_s() ok > > sudo: no default options found! > > sudo: ldap search > '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' > > sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com > > sudo: ldap sudoHost '+hgroup1' ... not > > sudo: ldap search 'sudoUser=+*' > > sudo: user_matches=1 > > sudo: host_matches=0 > > sudo: sudo_ldap_lookup(0)=0x40 > > [sudo] password for user1: > > Sorry, try again. > > [sudo] password for user1: > > sudo: 1 incorrect password attempt > > > > > > But if I remove the host group from the sudo rule and directly add the > hosts that were in the host group, it works fine: > > > > <snip> > > > > sudo: ldap_start_tls_s() ok > > sudo: ldap_sasl_bind_s() ok > > sudo: no default options found! > > sudo: ldap search > '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))' > > sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com > > sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH! > > sudo: ldap sudoRunAsUser 'serv_account' ... MATCH! > > sudo: ldap sudoCommand 'ALL' ... MATCH! > > sudo: Command allowed > > sudo: user_matches=1 > > sudo: host_matches=1 > > sudo: sudo_ldap_lookup(0)=0x02 > > [sudo] password for user1: > > [serv_account@host1 ~]$ > > > > > > So something isn’t lining up correctly with host groups in sudo rules > somewhere. I just haven’t been able to track it down. > > Thanks, > > -Mark > > > > > > * * > > *________________________________________________________________* > > *Mark Tovey - UNIX Engineer | Service Strategy & Design* > > UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | > Oregon > | 97204 | USA > > mto...@go2uti.com <mailto:mto...@go2uti.com> | O / C +1 503 953-1389 | Skype: > mark.tovey2 > > > > *From:*James Hogarth [mailto:james.hoga...@gmail.com] > *Sent:* Monday, July 15, 2013 1:11 PM > *To:* Tovey, Mark > *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs? > > > > >> >> >> Did anyone find a solution for this? I am having the same experience. >> >> >> > > Wow that was a mess... > > To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA > domain. > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
