[Freeipa-users] another sudo su question

KodaK sakodak at gmail.com
Tue Jul 17 18:48:42 UTC 2012 

On Tue, Jul 17, 2012 at 1:40 PM, KodaK <sakodak at gmail.com> wrote:
> On Tue, Jul 17, 2012 at 11:06 AM, Dmitri Pal <dpal at redhat.com> wrote:
>> On 07/17/2012 11:50 AM, KodaK wrote:
>>> I've been banging my head on this for a couple of days, and I can't
>>> find anything in the docs or by searching.
>>>
>>> I'm trying to do what I think should be pretty simple:  I have a group
>>> of users and an application account, all in IPA.  I want users in that
>>> group to be able to "sudo su - appacct".
>>>
>>> What I've found is that I probably can't do it exactly like that, so
>>> now I'm trying "sudo -i appacct", but I can't get that to work either.
>>>
>>> My rule is set up like this:
>>>
>>> rule name:  become-appacct
>>> sudo option:  -i appacct       (I'm not sure this is right.)
>>> user groups:  admins, appgroup
>>> host groups:  apphostgroup
>>>
>>> Everything else is blank.  Note that this is just the current
>>> configuration, I've tried a bunch of iterations.
>>>
>>> Any help?
>>>
>>> Thanks,
>>>
>>> --Jason
>>>
>> If you are using IPA it internally has a different schema for sudo than
>> the one published on the sudo web site
>> http://git.fedorahosted.org/git/?p=freeipa.git;a=blob;f=install/share/65ipasudo.ldif;h=7a85c8659c33794d3127d208452dcb54ad34d59e;hb=HEAD
>>
>> It is then transformed into a traditional sudo schema using the compat tree.
>>
>> So what you need to do is make sure you create the right sudo rule.
>>
>> Your sudo rule should use:
>> user groups: admins, appgroup
>> host groups: apphostgroup
>> command: sudo -i
>
> Thanks.  I had some fighting to do to get sudo to talk to ldap on this
> box, but I have that going now.
>
> If I understand you correctly, I've created a rule like you've
> suggested.  however, I get:
>
> Sorry, user jebalicki is not allowed to execute '/bin/bash -c
> cdcadmin' as root on slncdcl01.unix.magellanhealth.com.

I got it.  I was able to use:

Rule name: become-cdcadmin
  Enabled: TRUE
  User Groups: admins, stsg
  Host Groups: cdchosts
  Sudo Allow Commands:  /bin/su - cdcadmin

I thought I tried that first, but I must have had something else wrong.

Thanks,

--Jason

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6

More information about the Freeipa-users mailing list