#7284 Host group "ipaservers" can be specified in sudo rule but will cause sudo rule to fail
Opened 2 years ago by frenaud. Modified a year ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1516391

Description of problem:
Via the IdM Web UI, a sudo rule can be constructed that specifies the rule
should apply to the "ipaservers" host group.  However, because this group does
not have a matching nisNetGroup, the sudo rule will not provide the expected
access.  Running the sudo command on one of the servers in the ipaservers group
will simply result in a failure.

Version-Release number of selected component (if applicable):
RHEL 7,4
ipa-server-4.5.0-21.el7_4.2.2.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. Create a sudo rule that specifies "ipaservers" in the "Access this host:
Host Groups" section
2. SSH into an IPA server (member of "ipaservers" group) as a user affected by
that sudo rule
3. Attempt to use sudo command (e.g., 'sudo -l') and see failure.
4. Change rule from "ipaservers" to any other group, or explicitly listing
specific individual servers, or simply "Any Host", and 'sudo -l' succeeds.

Actual results:
sudo on client fails

Expected results:
sudo should succeed

Additional info:
Discussion on Red Hat internal idm list Nov 22

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1516391

2 years ago

Metadata Update from @frenaud:
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.7

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

A workaround is to create a new hostgroup and add the ipaservers hostgroup as a member of it (from freeipa-users).

Login to comment on this ticket.

Metadata