[Freeipa-users] can't get sudo to work.
Simpson Lachlan
Lachlan.Simpson at petermac.org
Tue Aug 23 06:49:50 UTC 2016
What version of sssd are you using?
We found that it wouldn't work w sssd<1.14
On the IPA server, it would say "yep rule applies", but then on any particular machine it wouldn't (well, it would - but only intermittently).
There's a COPR repo for Centos7 if you aren't on Fedora/RedHat.
Cheers
L.
-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Tony Brian Albers
Sent: Tuesday, 23 August 2016 4:24 PM
To: freeipa-users at redhat.com
Subject: [Freeipa-users] can't get sudo to work.
Hi guys,
I've been trying to get sudo to work for our day-to-day admin who have their own usergroup in IPA called subadmin.
For some reason I can't really get sudo to work, I suspect I am missing something simple, but I can't really figure out what it is.
This is my config:
# ipa sudorule-find
-------------------
1 Sudo Rule matched
-------------------
Rule name: All
Enabled: TRUE
Host category: all
Command category: all
User Groups: subadmin
----------------------------
Number of entries returned 1
----------------------------
#
# ipa group-find subadmin
---------------
1 group matched
---------------
Group name: subadmin
Description: For daily administration of users and hosts
GID: 10003
Member users: abr-sadm, pmd-sadm, tba-sadm, bja-sadm, alberto-ibm
Roles: Sub-admins
Member of Sudo rule: All
----------------------------
Number of entries returned 1
----------------------------
#
And on a client:
# cat /etc/sssd/sssd.conf
[domain/kac.lokalnet]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = kac.sblokalnet
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = kac-man-001.kac.lokalnet
chpass_provider = ipa
ipa_server = _srv_, kac-adm-001.kac.lokalnet ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default krb5_renewable_lifetime = 50d krb5_renew_interval = 3600 [sssd] services = nss, sudo, pam, autofs, ssh config_file_version = 2
domains = kac.lokalnet
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
nsswitch.conf:
passwd: files sss
shadow: files sss
group: files sss
#initgroups: files
#hosts: db files nisplus nis dns
hosts: files dns myhostname
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: sss files
aliases: files nisplus
sudoers: files sss
And for a subadmin account:
-sh-4.2$ sudo -l
[sudo] password for tba-sadm:
Your password will expire in 6 day(s).
User tba-sadm is not allowed to run sudo on kac-man-001.
-sh-4.2$
Any suggestions? Help is much appreciated.
TIA
/tony
--
Best regards,
Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
This email (including any attachments or links) may contain
confidential and/or legally privileged information and is
intended only to be read or used by the addressee. If you
are not the intended addressee, any use, distribution,
disclosure or copying of this email is strictly
prohibited.
Confidentiality and legal privilege attached to this email
(including any attachments) are not waived or lost by
reason of its mistaken delivery to you.
If you have received this email in error, please delete it
and notify us immediately by telephone or email. Peter
MacCallum Cancer Centre provides no guarantee that this
transmission is free of virus or that it has not been
intercepted or altered and will not be liable for any delay
in its receipt.
More information about the Freeipa-users
mailing list