On Tue, Apr 20, 2021 at 8:54 PM Brian Sanders via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
I believe I have mine working know, just a few more tests. It is in
fact
related to the nisdomainname. However from what I had read, it says the
nisdomainname must match the hosts domain. Which is what mine was set to.
However I am finding that my hostgroups work in Sudo if I instead set the
nisdomainname for the host to match the IPA servers domain. So for an
example, I am running multiple test domains as follows.
test.dev - main IPA domain and Kerberos realm
host1.project1.test.dev
host2.project1.test.dev
host1.project2.test.dev
host2.project2.test.dev
In this setup, the ipa client seems to setup the nisdomain to be "
project1.test.dev" etc. So when I checked it for the recommended
settings, I would say that matched the recommendations. However to get my
sudo host groups to work, I need to set all these hosts to use the
nisdomainname of "test.dev". I don't know if this is well understood to
be correct, but since the ipa client install seems to have done the setup,
it feels like this isn't expected. This will however work for now for me,
unless I find some other side affect of setting nisdomainname to the realm
var.
Please see
https://listman.redhat.com/archives/freeipa-users/2017-March/msg00241.html.
This is intentional as a default NIS domain is common for the whole IPA
deployment rather than individual to subdomains.
--
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland