IPA user is unable to use 'sudo' on some IPA hosts/clients

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • IPA
  • sudo

Issue

  • IPA user is unable to use 'sudo' on some IPA hosts/clients

Resolution

1. On IPA server, confirm if NGP plugin is enabled/disabled in IPA:

# ipa-managed-entries status -e "NGP Definition" -p 'xxx'
Plugin Disabled

2. Enable NGP plugin in IPA:

# ipa-managed-entries enable -e "NGP Definition" -p 'password'
# ipa-managed-entries status -e "NGP Definition" -p 'password'

3. Then delete the existing faulty hostgroup and recreate it:

# ipa hostgroup-del testhostgroup
# ipa hostgroup-add testhostgroup other_options

4. Check if netgroup entry is created automatically.

# ipa netgroup-show testhostgroup --all

Root Cause

  • NGP plugin was disabled in IPA causing unavailability of associated netgroups in IPA for hostgroups:
# ipa-managed-entries status -e "NGP Definition" -p 'xxx'
Plugin Disabled
  • sudo was failing because it couldn't match netgroup entry (for associated hostgroup) for the IPA host/client. In IPA env, netgroup entry with same name as hostgroup is created when hostgroup is added.

Diagnostic Steps

  • Check sssd & sudo debug logs.
  • Check IPA configuration.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments