[Freeipa-users] Sudo works for full access, but not on a per command or host level.

Dmitri Pal dpal at redhat.com
Tue Oct 16 14:32:32 UTC 2012


On 10/16/2012 10:05 AM, Macklin, Jason wrote:
>
> When I become the user in question I see the following in the sssd log.
>
>  
>
>             [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC
> rule [test]
>
>  
>
> I think this is a sudo problem before anything else.  For a user in
> which sudo works, host_matches = 1 always returns when debugging is
> on.  For a user that does not work host_matches always equals 0 (zero).
>
>  
>

Is there any way to see a more detailed debug log from sudo then? It
should show what it is looking for and what it is getting back from the
server.

> I am open to troubleshooting the ldap configuration as I am not
> convinced that it is referencing the host properly.  I enroll the
> clients using FQDN, but noticed that initially, domainname and
> nisdomainname qould return (none).  Fixing these to show the correct
> domain did not change the behavior of the nodes though.
>
>  
>
> Thanks again!
>
>  
>
> Jason
>
>  
>
> *From:*freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Dmitri Pal
> *Sent:* Monday, October 15, 2012 5:58 PM
> *To:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] Sudo works for full access, but not on
> a per command or host level.
>
>  
>
> On 10/15/2012 04:46 PM, Dmitri Pal wrote:
>
> On 10/15/2012 04:34 PM, Macklin, Jason wrote:
>
> Hi,
>
>  
>
> I apologize up front if this is obvious, but I'm having issues
> configuring sudo privileges. 
>
>  
>
> I currently have an IPA server running FreeIPA 2.2 with sudo
> configured for our administrators on all hosts.  This works
> fantastic!  As soon as I attempt to configure a more specific sudo
> rule it does not work.  In my troubleshooting, I have noticed that
> from the same host my admin level privileges work, but with another
> user account setup to just run one command, it fails.  I have turned
> on sudo debugging and the only thing I can find that looks out of
> sorts is the following:
>
>  
>
> sudo: host_matches=0
>
>  
>
> As soon as I move the user account that is failing into the admin
> group it starts to work.
>
>  
>
> I have attempted every iteration of sudo configuration on the server
> that I can think of.  I have setup HBAC and given that a shot as
> well.  At this point I'm completely stumped and would appreciate any
> help that I can get!
>
>
> What does sudo test return?
>
>
> Yes I meant HBAC. I might confused you and myself so let us start over.
>
> First we need to make sure that the authentication happens correctly
> so if HBAC is set to allow you should see in the SSSD log that access
> is granted. That will limit the problem to just SUDO. If you have the
> allow_all HBAC rule and no other rules then we can probably skip this
> step and move on to trying to solve the actual SUDO part.
>
> So with SUDO one of the known issues is the long vs short hostname. Do
> you by any chance use a short host name for that host?
> If names are FQDN the next step would be to use ldapsearch from the
> client and see what LDAP entries the server would return.
>
>
>      
>
>     Thank you in advance for your assistance,
>
>     Jason
>
>
>
>
>     _______________________________________________
>
>     Freeipa-users mailing list
>
>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> -- 
> Thank you,
> Dmitri Pal
>  
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>  
>  
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>  
>  
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> -- 
> Thank you,
> Dmitri Pal
>  
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>  
>  
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>  
>  
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121016/be1931d0/attachment.htm>


More information about the Freeipa-users mailing list