[Freeipa-users] another sudo su question

Dmitri Pal dpal at redhat.com
Tue Jul 17 16:06:11 UTC 2012 

On 07/17/2012 11:50 AM, KodaK wrote:
> I've been banging my head on this for a couple of days, and I can't
> find anything in the docs or by searching.
>
> I'm trying to do what I think should be pretty simple:  I have a group
> of users and an application account, all in IPA.  I want users in that
> group to be able to "sudo su - appacct".
>
> What I've found is that I probably can't do it exactly like that, so
> now I'm trying "sudo -i appacct", but I can't get that to work either.
>
> My rule is set up like this:
>
> rule name:  become-appacct
> sudo option:  -i appacct       (I'm not sure this is right.)
> user groups:  admins, appgroup
> host groups:  apphostgroup
>
> Everything else is blank.  Note that this is just the current
> configuration, I've tried a bunch of iterations.
>
> Any help?
>
> Thanks,
>
> --Jason
>
If you are using IPA it internally has a different schema for sudo than
the one published on the sudo web site
http://git.fedorahosted.org/git/?p=freeipa.git;a=blob;f=install/share/65ipasudo.ldif;h=7a85c8659c33794d3127d208452dcb54ad34d59e;hb=HEAD

It is then transformed into a traditional sudo schema using the compat tree.

So what you need to do is make sure you create the right sudo rule.

Your sudo rule should use:
user groups: admins, appgroup
host groups: apphostgroup
command: sudo -i

If appacct is a user managed by IPA then he should be selected as "run
as" user.
If this account is not managed by IPA it should be an "external" user

Use UI or CLI to add it. Doing it via ldap would not work unless you use
the internal schema.

objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation

          
STRUCTURAL MAY ( externalUser $ externalHost $ hostMask $ memberAllowCmd $ memberDenyCmd $

          
cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $

          
ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory $
           sudoNotBefore $ sudoNotAfter $$ sudoOrder ) X-ORIGIN 'IPA v2' )

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list