[Freeipa-users] sudo hostgroup sanity check, please?

[Dmitri Pal]

On 07/10/2012 03:15 PM, KodaK wrote:
> I'm running IPA 2.2.0 on RHEL6
>
> Server:
>
> [root at validserver ~]# rpm -qa | grep ipa
> ipa-client-2.2.0-16.el6.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> libipa_hbac-python-1.8.0-32.el6.x86_64
> ipa-python-2.2.0-16.el6.x86_64
> ipa-server-2.2.0-16.el6.x86_64
> ipa-server-selinux-2.2.0-16.el6.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> python-iniparse-0.3.1-2.1.el6.noarch
> libipa_hbac-1.8.0-32.el6.x86_64
> ipa-admintools-2.2.0-16.el6.x86_64
>
> Client:
>
> [root at validhost ~]# rpm -qa | grep ipa
> ipa-client-2.2.0-16.el6.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> libipa_hbac-python-1.8.0-32.el6.x86_64
> ipa-python-2.2.0-16.el6.x86_64
> ipa-server-2.2.0-16.el6.x86_64
> ipa-server-selinux-2.2.0-16.el6.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> python-iniparse-0.3.1-2.1.el6.noarch
> libipa_hbac-1.8.0-32.el6.x86_64
> ipa-admintools-2.2.0-16.el6.x86_64
>
> My sudo-ldap.conf file:
>
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com
> bindpw validpassword
>
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
>
> bind_timelimit 5
> timelimit 15
>
> uri ldap://validserver ldap://validserver2
> sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com
>
> What I'm trying to do:  I have a group of users that I'd like to have
> restart apache on a group of hosts.
>
> What I've done:  created a user group, created a group of hosts (in a
> grouplist.)
>
> I can successfully run sudo in any configuration, *except* when using
> a host group.  When I try I get:
>
> Sorry, user validuser is not allowed to execute
> '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com.
>
> I can edit the same rule, change the host group (that only contains
> two hosts) and specify the two hosts directly and it works fine.
>
> Can someone else just try this and see if I've hit a bug?  I'm certain
> I couldn't have messed up creating the host group, but I suppose it's
> possible.
>
> I get the same behavior when I try a simple "/bin/cat" command through
> sudo, too.
>
> Is there a special config for using host groups?  I suspect I may have
> missed some obvious documentation.
>
How do your SUDO entries look like?
Do you see host netgroup coming over to the system when you enumerate
netgroups?
Does it have the two hosts you mentioned?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/