<html dir="ltr"> <head> <meta http-equiv="Content-Type" content="text/html; charset=Windows-1252"> <style>  </style><style id="owaParaStyle" type="text/css">P {margin-top:0;margin-bottom:0;}</style> </head> <body ocsi="0" fpstyle="1" lang="EN-US" link="blue" vlink="purple"> <div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">Hi, my 2 cents, 2 possibilities, 1) There should I think be a HBAC rule and a sudo rule pair, I think you need both. For the HBAC rule with limited permissions you need the sudo privaledge and access say ssh and /or login, so at least 2, so when you say "1" it might be that? I dont know how you are getting access, it sounds possible. 2) or you have the bug I have it looks possible as well, Are you putting the host into a host group and using that host group in the sudo rule? There is a bug that stops that working, so in the sudo rule delete the host group and add the server server/host itself and see if that works. If so you have the bug, I find deleting the HBAC and sudo rules and starting again from scratch sometimes works, sometimes doesnt. I have 30~50% of my sudo rules with individial hosts and not groups because of this. If your problem is like mine, and you have RH support on RHEL? then raise a case, my one is #6963677 so I'd ask for it to be linked but its been open since August. :/ <div> <div style="font-family: Tahoma; font-size: 13px;"> regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 </div> </div> <div style="font-family: Times New Roman; color: rgb(0, 0, 0); font-size: 16px;"> <hr tabindex="-1"> <div style="direction: ltr;" id="divRpF400787">From: freeipa-users-bounces@redhat.com [freeipa-users-bounces@redhat.com] on behalf of Macklin, Jason [jason.macklin@roche.com] Sent: Tuesday, 16 October 2012 9:34 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Sudo works for full access, but not on a per command or host level. </div> <div></div> <div> <div class="WordSection1"> Hi, I apologize up front if this is obvious, but I’m having issues configuring sudo privileges. I currently have an IPA server running FreeIPA 2.2 with sudo configured for our administrators on all hosts. This works fantastic! As soon as I attempt to configure a more specific sudo rule it does not work. In my troubleshooting, I have noticed that from the same host my admin level privileges work, but with another user account setup to just run one command, it fails. I have turned on sudo debugging and the only thing I can find that looks out of sorts is the following: sudo: host_matches=0 As soon as I move the user account that is failing into the admin group it starts to work. I have attempted every iteration of sudo configuration on the server that I can think of. I have setup HBAC and given that a shot as well. At this point I’m completely stumped and would appreciate any help that I can get! Thank you in advance for your assistance, Jason </div> </div> </div> </div> </body> </html>