Brian Sanders via FreeIPA-users wrote:
I have recently found out that when adding SUDO rules to my IPA
server, the host groups are not evaluated correctly. I am using the same host groups in
my HBAC and they are working correctly. If I remove the host groups from the SUDO rule,
and instead directly put the server in as an individual host, the SUDO rule works
correctly. If simply set it to allow "all" hosts, while leaving the rest of the
SUDO rule the same, it also works.
Running a sudo command with the host groups provides the error:
"test1 is not allowed to run sudo on srv1. This incident will be reported."
I have turned on some debugging for SSSD and SUDO but it is extremely verbose, and after
realizing the same host groups work with HBAC, I am skeptical this is an issue with my
configuration. Anyone have some troubleshooting or work arounds? Is there perhaps a
known bug I didn't find about this? As much as I hate it, my "right now"
work around is to just allow it on all hosts, and rely on my HBAC to determine what groups
can log into what hosts. However this isn't a true fix, just a stop gap while I look
into this.
IPA Client versions:
ipa --version
VERSION: 4.6.8, API_VERSION: 2.237
IPA Server version:
ipa --version
VERSION: 4.6.8, API_VERSION: 2.237
There is no concept of hostgroups in SUDO but it does understand
netgroups so hostgroups are represented as netgroups. In order for this
to work your NIS domain name needs to be set properly.
You can try something like:
$ getent netgroup hg1
hg1 (ipa.example.test,-,example.test)
nisdomainname will set the NIS domain name.
rob