[Freeipa-users] Sudo works for full access, but not on a per command or host level.

Macklin, Jason jason.macklin at roche.com
Wed Oct 17 13:26:55 UTC 2012


Okay,

  Rule name: test4
  Enabled: TRUE
  Command category: all
  Users: asteinfeld
  Hosts: dbduwdu062.dbr.roche.com
  Host Groups: tempsudo

Client dbduwdu062 is matched in the rule by both the hosts and groups entry.

/etc/nsswitch.conf has:

	Netgroups: files sss

Getent netgroup tempsudo returns:

	[jmacklin at dbduwdu062 Desktop]$ getent netgroup tempsudo
	tempsudo              (dbduwdu063.dbr.roche.com, -, dbr.roche.com) (dbduwdu062.dbr.roche.com, -, dbr.roche.com)

To the previous ldapsearch request:

	[jmacklin at dbduwdu062 Desktop]$ ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com"
	SASL/GSSAPI authentication started
	ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
	additional info: Entry permanently locked.

I am still scratching my head on this one...

Cheers,
Jason

If you look closely, the reason that your admin works is because it appears to be matching a sudo rule who has the "ALL" hosts value set.

When you run the non working user, it is attempting to match the hostname/hostgroup to the rule and fails to do so.

Try this. Type: getent netgroup hostgroupname <- your host's hostgroup goes there.

^ that command should return all of the hosts in your hostgroup. If it does not, then check /etc/nsswitch.conf and make sure that netgroup is set to use sss.

You will also need to make sure that the output of: domainname or nisdomainname matches your expected domain.

Let me know how things look after trying that.





More information about the Freeipa-users mailing list