[Freeipa-users] freeipa / sudo
Chris Card
ctcard at hotmail.com
Tue Dec 16 08:17:47 UTC 2014
> What command did you use to get sudo options working please?
>
> I noticed from below mail that you have
> Sudo Option: !authenticate
>
> I am having trouble getting that working
The first issue is what version of FreeIPA you are using. Before version 4 sudo rules don't work without some manual setup on the client:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-sudo-clients.html#example-configuring-sudo-sss .
If the client is setup correctly, then I found issues with sssd caching, and in particular the sss_cache command doesn't invalidate the cache of sudo rules yet. Once I reduced the default cache time for sssd I could see my sudo rule changes working on the client.
I also had a problem with using host groups as part of the sudo rule, and this was down to the netgroup seen by the client having fully-qualified host names, while the hostname command on the client was only returning the short hostname - but this was down to the way OpenStack creates instances by default, not an issue with FreeIPA per se.
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141216/b76ca82f/attachment.htm>
More information about the Freeipa-users
mailing list