I'm having an issue where user's can't use sudo commands on ipa client hosts. I previously thought my issues with sudo were related to the type of commands, but I've narrowed it down to an issue with using host groups in the sudo rule access list instead of listing the hosts directly. When I use the host group with the host in it, my user cannot run the sudo commands on the host.
I have multiple debugs on in my sssd.conf and I have a ton of log files but i'm not sure what will be useful in helping me troubleshoot. IPA client 3.0.0 Centos 6.6 To reproduce: Add in sudo command Create command group Create host group Add host into host group create sudo rule use user groups, host groups, and sudo command groups to create rule Go onto client server clear out /var/lib/sss/db restart sssd test sudo for a user in the user group Test will fail. If i do the same steps and just list the hosts for the sudo rule access, and not the host groups, the sudo commands works fine for the user. When i'm using host groups in the sssd_EXAMPLE.COM.log i see what looks like a successful check for the host in the host group. My hostgroup is uatcluster: (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [be_get_account_info] (0x0100): Got request for [4100][1][name=uatcluster] (Thu May 7 18:57:02 2015) [sssd[be[EXAMPLE.COM]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu May 7 18:57:09 2015) [sssd[be[EXAMPLE.COM]]] [cleanup_groups] (0x0200): Found 3 expired group entries! i tried to recreate all of my host groups, and uninstall and reinstall the ipa client on one of my hosts. Nothing seems to fix the issue. I'm not really sure where to go from here. It took me 4 days to figure get this far. I'm only mostly sure this is the issue. Thanks in advance for any help. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
