Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1516391
Description of problem: Via the IdM Web UI, a sudo rule can be constructed that specifies the rule should apply to the "ipaservers" host group. However, because this group does not have a matching nisNetGroup, the sudo rule will not provide the expected access. Running the sudo command on one of the servers in the ipaservers group will simply result in a failure. Version-Release number of selected component (if applicable): RHEL 7,4 ipa-server-4.5.0-21.el7_4.2.2.x86_64 How reproducible: Every time Steps to Reproduce: 1. Create a sudo rule that specifies "ipaservers" in the "Access this host: Host Groups" section 2. SSH into an IPA server (member of "ipaservers" group) as a user affected by that sudo rule 3. Attempt to use sudo command (e.g., 'sudo -l') and see failure. 4. Change rule from "ipaservers" to any other group, or explicitly listing specific individual servers, or simply "Any Host", and 'sudo -l' succeeds. Actual results: sudo on client fails Expected results: sudo should succeed Additional info: Discussion on Red Hat internal idm list Nov 22
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1516391
Metadata Update from @frenaud: - Issue priority set to: normal - Issue set to the milestone: FreeIPA 4.7
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
A workaround is to create a new hostgroup and add the ipaservers hostgroup as a member of it (from freeipa-users).
Login to comment on this ticket.