[Freeipa-users] Sudo Commands and groups confusion

Steven Jones Steven.Jones at vuw.ac.nz
Wed Jun 12 00:26:52 UTC 2013 

Hi,

Sounds to complex, dont nest, KISS, Keep It Simple and Stupid.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sina Owolabi [shinacalypse at gmail.com]
Sent: Wednesday, 12 June 2013 11:56 a.m.
To: freeipa-users at redhat.com
Subject: [Freeipa-users] Sudo Commands and groups confusion

Hi
Please help me understand what I am doing wrong:

Im using two RHEL6.4 ipa servers in a multi-master configuration
Instead of creating multiple sudocmdgroups and sudo rules, I tried to subset what I could see in the /etc/sudoers files and have nested command groups and rules, to be applied to certain users and hostgroups as needed.
I have a hostgroup called allservers, which applies to all servers.

The allservers hostgroup is a member of sudo rule admin-commands, which I created for specific users to be able to run admin commands on all servers. I have added as members, multiple sudogroups, each of which have a number of commands inside of them. Despite this, I find that sudo does not allow me to run any command as the users added to the admin-command rule. Please help me see where my logic is broken, and what to do to fix. Thanks a lot in advance.
My sudo-ldap.conf is correctly configured, and so is nsswitch.conf.

Output is below:

 sudo service httpd status
[sudo] password for tuser:
tuser is not allowed to run sudo on waphost.  This incident will be reported.

ipa sudorule-find admin-commands
-------------------
1 Sudo Rule matched
-------------------
  Rule name: admin-commands
  Enabled: TRUE
  Users: tuser
 Host Groups: allservers
  Sudo Allow Command Groups: locate, networking, rooting, services, software, storage
  Sudo Option: !authenticate
----------------------------
Number of entries returned 1
----------------------------



--
best regards,

Sina Owolabi
+2348034022578
+2348176469061
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130612/425b3cb9/attachment.htm>

More information about the Freeipa-users mailing list