[Freeipa-users] Setting up sudo in FreeIPA v2.2
Steven Jones
Steven.Jones at vuw.ac.nz
Tue Oct 16 21:54:08 UTC 2012
Can you turn on debugging?
"sudoers_debug 2"
to /etc/sudo-ldap.conf (assumes RHEL6.3)
Also you could try adding the host directly to the sudo rule and not via a host group as that seems buggy....
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Toasted Penguin [toastedpenguininfo at gmail.com]
Sent: Wednesday, 17 October 2012 10:24 a.m.
To: freeipa-users at redhat.com
Subject: [Freeipa-users] Setting up sudo in FreeIPA v2.2
I have the server setup to manage sudo and I configured a target client to use the IPA server for sudo. When a user tries to use sudo (in this case "sudo su -") it fails and they get the error "user is not allowed to run sudo on client-host. This incident will be reported." I verified via the log files that the client is making requests to the IPA server when the user is attemping to use sudo and it fails. I temporarily disabled using the IPA server for sudo and I get the standard "User not in the sudoers file...."
Its starting to look like the server rules maybe the issue but I believe I have the sudo rule setup correctly. I created a sudo command "/bin/su", created a sudo rule "Sudo to root" , added the group the user in question is a part of to the WHO-->User Groups; Added the Host Group the target client host is part of to Access This Host-->Host Groups and added the sudo command to the sudo rule via Allow-->Sudo Allow Commands. When I delete the sudo rule I get the same result as I did when I temporarily disbled the client host using tghe IPA server for sudo verification.
Any ideas why or where to look to figure out this issue?
Thanks,
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121016/06a02272/attachment.htm>
More information about the Freeipa-users
mailing list