On all ubuntu flavours simple solution is to install sudo from its
developement page sudo included in system does not work with groups
correctly. Up to Ubuntu 16.04
From what i have seen if user is in a group that is in different group
sudo on Ubuntu does not recognize the second group ( that group that the
users group is member of)
Havent tested host groups but might be same case there.
W dniu 01.10.2017 o 16:58, Aaron Cole via FreeIPA-users pisze:
Hey Michael.
I have never added Ubuntu or Debian machines to an IPA server. I have gotten RHEL 5/6/7,
HPUX 11.31 and Solaris 10/11 machines added and working on my IPA servers. So I can hope
to shed some light from my troubles. I have found that the issue lies with how the sudo
on the server resolves it's own hostname.
Can you attempted to debug sudo? You should be able to add a debug line sssd.conf in the
[sudo] section.
Also have you tried to add a rule and explicitly list the server (not group)? This will
help determine if the issue is related to the host and passing comparing with the FQDN or
if it's having issues expanding host groups.
I'm sure you already know this, but including just in case:
From the sssd.conf man page from Ubuntu you can have a setting in there -
hostid_provider - make sure that is set to ipa. I'm sure this is setup from the
installation.
The man page also states: "Note: in order to use netgroups or IPA hostgroups in sudo
rules, you
also need to correctly set nisdomainname(1) to your NIS domain name
(which equals to IPA domain name when using hostgroups)."
You can also set a setting in the sssd.conf to reflect the FQDN correctly ipa_hostname =
FQDN. I have had to set this, due to not being able to change hostnames from shortname to
FQDN.
Common things I have ran into / fixed -
- hosts file is not setup correctly for the host. The host entry for itself has to be
setup as 10.0.0.5 ServerFQDN ServerShortname
- Set the server name to the FQDN vs shortname. If unable to set, statically set the
hostname with the --hostname option on installation.
- Ensure that the host entry FQDN in IPA is the same as the hosts file/hostname.
Otherwise you can set the hostname statically in sssd.conf with
- Set the nisdomain name to IPA domain.
- Added a sudo option into the sudo rule "fqdn", to ensure the fqdn will be
used by the hosts.
I would be more interested in what the debugging produces.
-Aaron
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
--
**
**
**
*Przemysław Orzechowski*
Network Administrator
e: przemek.orzechowski(a)makolab.com <mailto:przemek.orzechowski@makolab.com>
t: +48 42 683 74 97
*MakoLab*
Demokratyczna 46, 93-430 Łódź, Poland
www.makolab.com <
http://www.makolab.com/>
MakoBlog <
https://makoblog.com/> | Facebook
<
https://www.facebook.com/MakoLab.SA> | LinkedIn
<
https://pl.linkedin.com/company/makolab>
MakoLab SA, Demokratyczna 46, 93-430 Lodz, Poland. A joint-stock company
organized and existing under the laws of Republic of Poland with a
registered share capital of 707 473,00 PLN (Polish zlotys), identified
in the National Court Register (Krajowy Rejestr Sądowy) conducted by the
District Court for Lodz Srodmiescie in Lodz under the number KRS:
0000289179, Tax Identification Number (NIP): PL 7250015526, National
Official Business Register (REGON): 471343117.
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you
received this in error, please notify the sender and delete the material
from your computer.