Re: [Freeipa-users] sudo rules user and host group bugs?

Tovey, Mark Mon, 15 Jul 2013 15:59:01 -0700


    I checked that and it is set correctly:


[user1@host1 ~]$ nisdomainname
my_domain.com

    If I try to run a command with the hosts specified indirectly through a 
host group, it fails:

[user1@host1 ~]$ sudo -i -u serv_account
LDAP Config Summary
===================
uri              ldap://ipa_server.my_domain.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=my_domain,dc=com
binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
bindpw           **********
bind_timelimit   5000
timelimit        15
ssl              start_tls
tls_checkpeer    (yes)
tls_cacertfile   /etc/ipa/ca.crt
===================
sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search 
'(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
sudo: ldap sudoHost '+hgroup1' ... not
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x40
[sudo] password for user1:
Sorry, try again.
[sudo] password for user1:
sudo: 1 incorrect password attempt


    But if I remove the host group from the sudo rule and directly add the 
hosts that were in the host group, it works fine:

<snip>

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search 
'(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: Command allowed
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
[sudo] password for user1:
[serv_account@host1 ~]$


    So something isn't lining up correctly with host groups in sudo rules 
somewhere.  I just haven't been able to track it down.
    Thanks,
    -Mark



________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon 
| 97204 | USA
[email protected]<mailto:[email protected]> | O / C +1 503 953-1389 | Skype: 
mark.tovey2

From: James Hogarth [mailto:[email protected]]
Sent: Monday, July 15, 2013 1:11 PM
To: Tovey, Mark
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?


>
>
>     Did anyone find a solution for this?  I am having the same experience.
>
>
>

Wow that was a mess...

To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA 
domain.

_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo rules user and host group bugs?

Reply via email to