I have recently found out that when adding SUDO rules to my IPA server, the host groups
are not evaluated correctly. I am using the same host groups in my HBAC and they are
working correctly. If I remove the host groups from the SUDO rule, and instead directly
put the server in as an individual host, the SUDO rule works correctly. If simply set it
to allow "all" hosts, while leaving the rest of the SUDO rule the same, it also
works.
Running a sudo command with the host groups provides the error:
"test1 is not allowed to run sudo on srv1. This incident will be reported."
I have turned on some debugging for SSSD and SUDO but it is extremely verbose, and after
realizing the same host groups work with HBAC, I am skeptical this is an issue with my
configuration. Anyone have some troubleshooting or work arounds? Is there perhaps a
known bug I didn't find about this? As much as I hate it, my "right now"
work around is to just allow it on all hosts, and rely on my HBAC to determine what groups
can log into what hosts. However this isn't a true fix, just a stop gap while I look
into this.
IPA Client versions:
ipa --version
VERSION: 4.6.8, API_VERSION: 2.237
IPA Server version:
ipa --version
VERSION: 4.6.8, API_VERSION: 2.237