Hello, I have been doing a lot of research on trying to get host groups to work with sudoers policies. However I'm finding that this can't be done and the only achieved by using netgroups. Is this true? I just would like some validation/confirmation before I go to far down the rabbit hole.
Andrew Meyer via FreeIPA-users wrote:
Hello, I have been doing a lot of research on trying to get host groups to work with sudoers policies. However I'm finding that this can't be done and the only achieved by using netgroups. Is this true? I just would like some validation/confirmation before I go to far down the rabbit hole.
A hostgroup automatically creates a netgroup of the same name. Lookups are done on the end system as a netgroup so you need to be sure that the NIS domainname is set (should be done automatically by ipa-client-install).
rob
Yes, but what about adding the hostgroup to the sudo policy? Do I still need to add the netgroup instead?
On Wednesday, April 18, 2018 10:17 AM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
Hello, I have been doing a lot of research on trying to get host groups to work with sudoers policies. However I'm finding that this can't be done and the only achieved by using netgroups. Is this true? I just would like some validation/confirmation before I go to far down the rabbit hole.
A hostgroup automatically creates a netgroup of the same name. Lookups are done on the end system as a netgroup so you need to be sure that the NIS domainname is set (should be done automatically by ipa-client-install).
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Andrew Meyer wrote:
Yes, but what about adding the hostgroup to the sudo policy? Do I still need to add the netgroup instead?
sudorule-add-host Add hosts and hostgroups affected by Sudo Rule.
hostgroups are represented as netgroups.
rob
On Wednesday, April 18, 2018 10:17 AM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
Hello, I have been doing a lot of research on trying to get host groups to work with sudoers policies. However I'm finding that this can't be done and the only achieved by using netgroups. Is this true? I just would like some validation/confirmation before I go to far down the rabbit hole.
A hostgroup automatically creates a netgroup of the same name. Lookups are done on the end system as a netgroup so you need to be sure that the NIS domainname is set (should be done automatically by ipa-client-install).
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Andrew Meyer -
Rob Crittenden