What were you trying to do that didn't work?

Via the IdM Web UI, a sudo rule can be constructed that specifies the rule should apply to the "ipaservers" host group. However, because this group does not have a matching nisNetGroup, the sudo rule will not provide the expected access. Running the sudo command on one of the servers in the ipaservers group will simply result in a failure.

What is the impact of this issue to you?

From an end-user perspective, creating sudo rules against a default group in idM should 'just work' and not require workarounds. The bug is obscure and it can take hours to determine the cause.

Please provide the package NVR for which the bug is seen:

ipa-server-4.9.13-18
ipa-server-common-4.9.13-18

How reproducible is this bug?:

Every time

Steps to reproduce

1. Create a sudo rule that specifies "ipaservers" in the "Access this host: Host Groups" section
2. SSH into an IPA server (member of "ipaservers" group) as a user affected by that sudo rule
3. Attempt to use sudo command (e.g., 'sudo -l') and see failure.
4. Change rule from "ipaservers" to any other group, or explicitly listing specific individual servers, or simply "Any Host", and 'sudo -l' succeeds.

Expected results

sudo should succeed

Actual results

sudo on client fails