Sorry for not defining the question. The question for this is: Are sudo rules supposed to be inherited in the same manner as HBAC rules?
>From the case above, all my HBAC rules are working fine with indirect membership, but sudo only works with direct membership. I also saw the Tech preview SSSD packages for RHEL 6.8. I tried those too and verified that the issue is still present. On Wed, Jan 27, 2016 at 9:36 AM, sysadmin ofdoom < [email protected]> wrote: > I am trying to implement FreeIPA in a larger environment. Due to the > complexity of the environment I've been constructing a user group structure > such that i have groups at the following levels: > > project --> project_at_site --> project_site_vendor > > HBAC rules are defined at the lowest level (vendor at site) and associated > with a host group at the same level. > > Each of the above user group levels will have a corresponding sudo group. > (Used to provide a vendor access to servers the vendor supports at a > specific site at a moments notice) > > HBAC rules are propagating up the chain correctly. > > When a user is added to a top level group (e.g. project or project-sudo) > the indirect membership shows up for both Sudo and HBAC rules. > > The problem is that I can't get the sudo privileges to work when the user > shows indirect membership for the sudo rule. If i make the user a direct > member of the sudo rule, i can use sudo. > > As I've looked at debug logs, i was able to see that the query used when i > was identical when i was successful at using sudo and when i i got denied. > The difference is the failure would have a message like > [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [ > [email protected]] The successes returned 2 rules. > > The only change made between the success and failure was making the user a > direct member of the sudo rule where the failure was an indirect member. > > Thanks for any help! > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
