[Freeipa-users] sudo hostgroup sanity check, please?

Tue Jul 10 20:16:41 UTC 2012

On Tue, Jul 10, 2012 at 2:56 PM, Dmitri Pal <dpal at redhat.com> wrote:
> On 07/10/2012 03:15 PM, KodaK wrote:
>> I'm running IPA 2.2.0 on RHEL6
>>
>> Server:
>>
>> [root at validserver ~]# rpm -qa | grep ipa
>> ipa-client-2.2.0-16.el6.x86_64
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-python-2.2.0-16.el6.x86_64
>> ipa-server-2.2.0-16.el6.x86_64
>> ipa-server-selinux-2.2.0-16.el6.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> python-iniparse-0.3.1-2.1.el6.noarch
>> libipa_hbac-1.8.0-32.el6.x86_64
>> ipa-admintools-2.2.0-16.el6.x86_64
>>
>> Client:
>>
>> [root at validhost ~]# rpm -qa | grep ipa
>> ipa-client-2.2.0-16.el6.x86_64
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-python-2.2.0-16.el6.x86_64
>> ipa-server-2.2.0-16.el6.x86_64
>> ipa-server-selinux-2.2.0-16.el6.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> python-iniparse-0.3.1-2.1.el6.noarch
>> libipa_hbac-1.8.0-32.el6.x86_64
>> ipa-admintools-2.2.0-16.el6.x86_64
>>
>> My sudo-ldap.conf file:
>>
>> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com
>> bindpw validpassword
>>
>> ssl start_tls
>> tls_cacertfile /etc/ipa/ca.crt
>> tls_checkpeer yes
>>
>> bind_timelimit 5
>> timelimit 15
>>
>> uri ldap://validserver ldap://validserver2
>> sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com
>>
>> What I'm trying to do:  I have a group of users that I'd like to have
>> restart apache on a group of hosts.
>>
>> What I've done:  created a user group, created a group of hosts (in a
>> grouplist.)
>>
>> I can successfully run sudo in any configuration, *except* when using
>> a host group.  When I try I get:
>>
>> Sorry, user validuser is not allowed to execute
>> '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com.
>>
>> I can edit the same rule, change the host group (that only contains
>> two hosts) and specify the two hosts directly and it works fine.
>>
>> Can someone else just try this and see if I've hit a bug?  I'm certain
>> I couldn't have messed up creating the host group, but I suppose it's
>> possible.
>>
>> I get the same behavior when I try a simple "/bin/cat" command through
>> sudo, too.
>>
>> Is there a special config for using host groups?  I suspect I may have
>> missed some obvious documentation.
>>

> How do your SUDO entries look like?

Rule name:  test rule
Options: none
Who: specified users and groups
Users: jebalicki
User groups: none
Access this host: specified users and groups
Hosts: none
Host groups: tds-webhosts (contains the two valid client systems)
RUN COMMANDS
ALLOW
command category the rule applies to: specified commands and groups
sudo allow commands: /bin/cat
sudo allow command groups: none
Nothing denied.
"As whom" is left as default.

> Do you see host netgroup coming over to the system when you enumerate
> netgroups?

I don't know how to do this at the command line.  I'm googling for it.
 The only thing I'm even vaguely familiar with (in that it exists) is
ypcat, but I thought sssd was taking care of "translating" the host
groups to netgroups for sudo?  I'm sorry, I'm just not familiar with
NIS at all.  The documentation tells me that a hidden netgroup is
created, so I shouldn't need to manually specify one, right?

> Does it have the two hosts you mentioned?

Once I find that I'll get back to you.  Thanks for taking the time.