[Freeipa-users] Sudo works for full access, but not on a per command or host level.
Macklin, Jason
jason.macklin at roche.com
Thu Oct 18 11:48:58 UTC 2012
Update with success! (but embarrassment)
I apologize for putting everyone through the ringer on this one. Here is what I found.
I mentioned at one point that my domainname/nisdomainname/dnsdomainname did not all return my correct domain, but that I had fixed this. As it turned out, I had a typo in my rc.local file. Fixing them so they return the correct value is not enough to fix sudo. I ran ipa-client --uninstall -->> yum remove ipa-client -->> yum install ipa-client -->> ipa-client-install and re-enrolled my client without making any other changes. Apparently, something does not translate properly during the enroll process if your domain is not set properly in the rc.local file. Everything is now working just as I would expect it to!
Again, thank you everyone for your assistance!
Cheers,
Jason
-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com]
Sent: Wednesday, October 17, 2012 3:44 PM
To: Macklin, Jason {DASB~Branford}
Cc: dpal at redhat.com; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.
Can you confirm that you have sudoer_debug set to 2?
If I gather correctly, this is on RHEL 6.3? What version of sudo?
I'm seeing different output. Mine includes the number of candidate results for sudoUser are found.
If you watch /var/log/dirsrv/slapd-REALM/access on your IPA server you'll be able to see the LDAP searches the sudo client is making. The log is buffered so you won't see them immediately. Can you send us the queries that are being made?
thanks
rob
More information about the Freeipa-users
mailing list