[Freeipa-users] sudo hostgroup sanity check, please?
KodaK
sakodak at gmail.com
Tue Jul 10 19:15:41 UTC 2012
I'm running IPA 2.2.0 on RHEL6
Server:
[root at validserver ~]# rpm -qa | grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
Client:
[root at validhost ~]# rpm -qa | grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
My sudo-ldap.conf file:
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com
bindpw validpassword
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
bind_timelimit 5
timelimit 15
uri ldap://validserver ldap://validserver2
sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com
What I'm trying to do: I have a group of users that I'd like to have
restart apache on a group of hosts.
What I've done: created a user group, created a group of hosts (in a
grouplist.)
I can successfully run sudo in any configuration, *except* when using
a host group. When I try I get:
Sorry, user validuser is not allowed to execute
'/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com.
I can edit the same rule, change the host group (that only contains
two hosts) and specify the two hosts directly and it works fine.
Can someone else just try this and see if I've hit a bug? I'm certain
I couldn't have messed up creating the host group, but I suppose it's
possible.
I get the same behavior when I try a simple "/bin/cat" command through
sudo, too.
Is there a special config for using host groups? I suspect I may have
missed some obvious documentation.
--
The government is going to read our mail anyway, might as well make it
tough for them. GPG Public key ID: B6A1A7C6
More information about the Freeipa-users
mailing list