[Freeipa-users] sudo hostgroup sanity check, please?

KodaK sakodak at gmail.com
Tue Jul 10 19:15:41 UTC 2012 

I'm running IPA 2.2.0 on RHEL6

Server:

[root at validserver ~]# rpm -qa | grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64

Client:

[root at validhost ~]# rpm -qa | grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64

My sudo-ldap.conf file:

binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com
bindpw validpassword

ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes

bind_timelimit 5
timelimit 15

uri ldap://validserver ldap://validserver2
sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com

What I'm trying to do:  I have a group of users that I'd like to have
restart apache on a group of hosts.

What I've done:  created a user group, created a group of hosts (in a
grouplist.)

I can successfully run sudo in any configuration, *except* when using
a host group.  When I try I get:

Sorry, user validuser is not allowed to execute
'/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com.

I can edit the same rule, change the host group (that only contains
two hosts) and specify the two hosts directly and it works fine.

Can someone else just try this and see if I've hit a bug?  I'm certain
I couldn't have messed up creating the host group, but I suppose it's
possible.

I get the same behavior when I try a simple "/bin/cat" command through
sudo, too.

Is there a special config for using host groups?  I suspect I may have
missed some obvious documentation.

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6

More information about the Freeipa-users mailing list