Sparks, Alan wrote: > I still cant find the problem after a lot of searching, can someone > give me a little advice? Assembling a POC of FreeIPA 4.1.0 server > (stock CentOS-7 packages) and a CentOS 6.7 server with their stock 3.0.0 > packages. Sudo version on the client is sudo-1.8.6p3. > > > > Have created a general sudo rule on the IPA server to grant access to a > host group. However it doesnt allow access, just a sparksa is not > allowed to run sudo on als-centos0002. If I change the rule to not > use host groups, and explicitly set the hosts, it works OK. > > > > Have checked the stuff Ive seen in general search, like the > nisdomainname, values are set and look plausible. The sudo debug logs > seem to indicate vaguely that it cant match the netgroup: > > > > Nov 18 16:07:37 sudo[15713] username=sparksa > > Nov 18 16:07:37 sudo[15713] domainname=(null) > > Nov 18 16:07:37 sudo[15713] Received 1 rule(s) > > Nov 18 16:07:37 sudo[15713] sssd/ldap sudoHost '+opsauto' ... not > > Nov 18 16:07:37 sudo[15713] Sorting the remaining entries using the > sudoOrder attribute > > Nov 18 16:07:37 sudo[15713] searching SSSD/LDAP for sudoers entries > > Nov 18 16:07:37 sudo[15713] Done with LDAP searches > > Nov 18 16:07:37 sudo[15713] keep > HOSTNAME=als-centos0002.dakar.useast.hpcloud.net: YES > > Nov 18 16:07:37 sudo[15713] sudo_putenv: > HOSTNAME=als-centos0002.dakar.useast.hpcloud.net > > > > The setup of the client used the normal ipa-client-install script. > From questions asked before, some salient debugging info: > > > > [root@als-centos0002 sys-ops]# nisdomainname > > dakar.useast.hpcloud.net > > [root@als-centos0002 sys-ops]# hostname > > als-centos0002.dakar.useast.hpcloud.net > > [root@als-centos0002 sys-ops]# getent netgroup opsauto > > opsauto > (als-ubuntu0001.oa.ftc.hpelabs.net,-,eucalyptus.internal) > (als-centos0002.dakar.useast.hpcloud.net,-,eucalyptus.internal) > > > > Does anyone have any advice on what additional debug I should look at, > just not sure what Im missing. Thanks in advance.
Your NIS domain name doesn't match. dakar.useast.hpcloud.net != eucalyptus.internal rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
