[Freeipa-users] sudo su - works on one server for a user but not on another (its twin)
Rob Crittenden
rcritten at redhat.com
Wed Aug 22 21:42:29 UTC 2012
Steven Jones wrote:
> Hi,
>
> Im trying to fault find why a user can sudo su - on a server but not its
> twin.
>
> I have nisdoaminnamae ods.vuw.ac.nz in rc.local.....
> and sudo-ldap.conf and nsswitch.conf appear to be identical but the
> hostname match fails.
>
> So for the working server,
> ========
> sudo: ldap sudoHost '+servers-saas-root' ... MATCH!
> sudo: ldap sudoCommand '/bin/su -' ... MATCH!
> sudo: ldap sudoCommand '/bin/su - banner' ... MATCH!
> sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1
> ========
>
> For the failing server,
> ========
> sudo: ldap sudoHost '+servers-saas-root' ... not
> sudo: ldap search 'sudoUser=+*'
> sudo: user_matches=1
> sudo: host_matches=0
> ========
>
> I have a host failure, yet the server is in that host group...the HBAC
> rule allows ssh and sudo....ssh works for both, so HBAC rule should be OK.
>
> The sudo command uses the same user and host groups as the HBAC...
>
> Damned if I can see a setup error.
>
> Ideas where to go looking next please?
Try temporarily enabling the allow_all HBAC rule so you can see if it is
an HBAC or a sudo problem?
rob
More information about the Freeipa-users
mailing list