[Freeipa-users] Sudo works for full access, but not on a per command or host level.
Dmitri Pal
dpal at redhat.com
Mon Oct 15 20:46:20 UTC 2012
On 10/15/2012 04:34 PM, Macklin, Jason wrote:
>
> Hi,
>
>
>
> I apologize up front if this is obvious, but I'm having issues
> configuring sudo privileges.
>
>
>
> I currently have an IPA server running FreeIPA 2.2 with sudo
> configured for our administrators on all hosts. This works
> fantastic! As soon as I attempt to configure a more specific sudo
> rule it does not work. In my troubleshooting, I have noticed that
> from the same host my admin level privileges work, but with another
> user account setup to just run one command, it fails. I have turned
> on sudo debugging and the only thing I can find that looks out of
> sorts is the following:
>
>
>
> sudo: host_matches=0
>
>
>
> As soon as I move the user account that is failing into the admin
> group it starts to work.
>
>
>
> I have attempted every iteration of sudo configuration on the server
> that I can think of. I have setup HBAC and given that a shot as
> well. At this point I'm completely stumped and would appreciate any
> help that I can get!
>
What does sudo test return?
Does it return the expected results?
Can you be more specific about the rule you have?
Based on the description you have a rule that points to a specific user.
If this user is referred to in the rule explicitly sudo does not work
properly but if you move user to a group that is referenced by the rule
then the rule works as expected. Is this correct description of the problem?
I assume that you are turning off allow_all rule that allows anyone to
do anything by default, right?
>
>
> Thank you in advance for your assistance,
>
> Jason
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121015/61ceae50/attachment.htm>
More information about the Freeipa-users
mailing list