[Freeipa-users] Sudo works for full access, but not on a per command or host level.

Dmitri Pal dpal at redhat.com
Mon Oct 15 20:46:20 UTC 2012 

On 10/15/2012 04:34 PM, Macklin, Jason wrote:
>
> Hi,
>
>  
>
> I apologize up front if this is obvious, but I'm having issues
> configuring sudo privileges. 
>
>  
>
> I currently have an IPA server running FreeIPA 2.2 with sudo
> configured for our administrators on all hosts.  This works
> fantastic!  As soon as I attempt to configure a more specific sudo
> rule it does not work.  In my troubleshooting, I have noticed that
> from the same host my admin level privileges work, but with another
> user account setup to just run one command, it fails.  I have turned
> on sudo debugging and the only thing I can find that looks out of
> sorts is the following:
>
>  
>
> sudo: host_matches=0
>
>  
>
> As soon as I move the user account that is failing into the admin
> group it starts to work.
>
>  
>
> I have attempted every iteration of sudo configuration on the server
> that I can think of.  I have setup HBAC and given that a shot as
> well.  At this point I'm completely stumped and would appreciate any
> help that I can get!
>

What does sudo test return?
Does it return the expected results?

Can you be more specific about the rule you have?
Based on the description you have a rule that points to a specific user.
If this user is referred to in the rule explicitly sudo does not work
properly but if you move user to a group that is referenced by the rule
then the rule works as expected. Is this correct description of the problem?

I assume that you are turning off allow_all rule that allows anyone to
do anything by default, right?
 

>  
>
> Thank you in advance for your assistance,
>
> Jason
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121015/61ceae50/attachment.htm>

More information about the Freeipa-users mailing list