[Freeipa-users] Sudo Commands and groups confusion
Rob Crittenden
rcritten at redhat.com
Wed Jun 12 01:33:29 UTC 2013
Sina Owolabi wrote:
> Hi
> Please help me understand what I am doing wrong:
>
> Im using two RHEL6.4 ipa servers in a multi-master configuration
> Instead of creating multiple sudocmdgroups and sudo rules, I tried to
> subset what I could see in the /etc/sudoers files and have nested
> command groups and rules, to be applied to certain users and hostgroups
> as needed.
> I have a hostgroup called allservers, which applies to all servers.
>
> The allservers hostgroup is a member of sudo rule admin-commands, which
> I created for specific users to be able to run admin commands on all
> servers. I have added as members, multiple sudogroups, each of which
> have a number of commands inside of them. Despite this, I find that sudo
> does not allow me to run any command as the users added to the
> admin-command rule. Please help me see where my logic is broken, and
> what to do to fix. Thanks a lot in advance.
> My sudo-ldap.conf is correctly configured, and so is nsswitch.conf.
>
> Output is below:
>
> sudo service httpd status
> [sudo] password for tuser:
> tuser is not allowed to run sudo on waphost. This incident will be
> reported.
>
> ipa sudorule-find admin-commands
> -------------------
> 1 Sudo Rule matched
> -------------------
> Rule name: admin-commands
> Enabled: TRUE
> Users: tuser
> Host Groups: allservers
> Sudo Allow Command Groups: locate, networking, rooting, services,
> software, storage
> Sudo Option: !authenticate
> ----------------------------
> Number of entries returned 1
> ----------------------------
Did you set your NIS domain name on the client machine? sudo uses
netgroups which needs the NIS domain. By default IPA creates a managed
netgroup for each hostgroup so one should be available with the right
information.
rob
More information about the Freeipa-users
mailing list