https://bugzilla.redhat.com/show_bug.cgi?id=847566 (Red Hat Enterprise Linux 6)
Description of problem: When client does not have nisdomainname set and is using IPA sudo rule with host group set the sudo rule fails as it cannot find the hostgroup. If sudoers_debug 3 is set in /etc/ldap.conf (or relevant file as per sudo -V | grep ldap.conf) the only message you get is: <snip> sudo: ldap sudoHost '+host-group' ... not sudo: ldap search 'sudoUser=+*' sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x40 </snip> Would be useful if the messages were more verbose and indicated that the nisdommainame is not set. Version-Release number of selected component (if applicable): Multiple versions How reproducible: Steps to Reproduce: 1. unset the nisdomainname (or set it to the incorrect domainname) 2. Set-up a sudorule in IPA with access set to: Command Category: all, users: all, groups: <restricted to a host group> 3. Run sudo command on a server specified in the host group Actual results: Sudo command will fail as the host group is not (assume found): Actual error is: "sudo: ldap sudoHost '+host-group' ... not" Expected results: Error to give more detail as to why the host group is not matching i.e. due to nisdomainname being not set or incorrect Additional info:
For IPA if we always set the nisdomainname then this becomes a non-issue. We can/should do this in ipa-client-install.
The bugzilla is being cloned against SUDO for better error message.
Changing 3.2 priority
Closing the ticket as duplicate to #3202. Just like Rob suggests in comment:2, when #3202 is finished, ipa-client-install will always set the nisdomainname.
Metadata Update from @dpal: - Issue assigned to tbabej - Issue set to the milestone: Future Releases
Login to comment on this ticket.