[Freeipa-users] can't get sudo to work.
Tony Brian Albers
tba at statsbiblioteket.dk
Tue Aug 23 07:11:44 UTC 2016
Thanks Simon,
Is this a known issue? We're on Centos 7.2 and yes, the sssd version is
1.13
/tony
On Tue, 2016-08-23 at 06:49 +0000, Simpson Lachlan wrote:
> What version of sssd are you using?
>
> We found that it wouldn't work w sssd<1.14
>
> On the IPA server, it would say "yep rule applies", but then on any particular machine it wouldn't (well, it would - but only intermittently).
>
> There's a COPR repo for Centos7 if you aren't on Fedora/RedHat.
>
> Cheers
> L.
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Tony Brian Albers
> Sent: Tuesday, 23 August 2016 4:24 PM
> To: freeipa-users at redhat.com
> Subject: [Freeipa-users] can't get sudo to work.
>
> Hi guys,
>
> I've been trying to get sudo to work for our day-to-day admin who have their own usergroup in IPA called subadmin.
>
> For some reason I can't really get sudo to work, I suspect I am missing something simple, but I can't really figure out what it is.
>
> This is my config:
>
> # ipa sudorule-find
> -------------------
> 1 Sudo Rule matched
> -------------------
> Rule name: All
> Enabled: TRUE
> Host category: all
> Command category: all
> User Groups: subadmin
> ----------------------------
> Number of entries returned 1
> ----------------------------
> #
>
>
>
>
> # ipa group-find subadmin
> ---------------
> 1 group matched
> ---------------
> Group name: subadmin
> Description: For daily administration of users and hosts
> GID: 10003
> Member users: abr-sadm, pmd-sadm, tba-sadm, bja-sadm, alberto-ibm
> Roles: Sub-admins
> Member of Sudo rule: All
> ----------------------------
> Number of entries returned 1
> ----------------------------
> #
>
>
>
>
>
> And on a client:
>
> # cat /etc/sssd/sssd.conf
> [domain/kac.lokalnet]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = kac.sblokalnet
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = kac-man-001.kac.lokalnet
> chpass_provider = ipa
> ipa_server = _srv_, kac-adm-001.kac.lokalnet ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default krb5_renewable_lifetime = 50d krb5_renew_interval = 3600 [sssd] services = nss, sudo, pam, autofs, ssh config_file_version = 2
>
> domains = kac.lokalnet
> [nss]
> homedir_substring = /home
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
>
>
>
>
>
>
> nsswitch.conf:
>
> passwd: files sss
> shadow: files sss
> group: files sss
> #initgroups: files
>
> #hosts: db files nisplus nis dns
> hosts: files dns myhostname
>
> # Example - obey only what nisplus tells us...
> #services: nisplus [NOTFOUND=return] files
> #networks: nisplus [NOTFOUND=return] files
> #protocols: nisplus [NOTFOUND=return] files
> #rpc: nisplus [NOTFOUND=return] files
> #ethers: nisplus [NOTFOUND=return] files
> #netmasks: nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files sss
>
> netgroup: files sss
>
> publickey: nisplus
>
> automount: sss files
> aliases: files nisplus
> sudoers: files sss
>
>
>
>
> And for a subadmin account:
>
> -sh-4.2$ sudo -l
> [sudo] password for tba-sadm:
> Your password will expire in 6 day(s).
> User tba-sadm is not allowed to run sudo on kac-man-001.
> -sh-4.2$
>
>
>
> Any suggestions? Help is much appreciated.
>
> TIA
>
> /tony
>
> --
> Best regards,
>
> Tony Albers
> Systems administrator, IT-development
> State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
> Tel: +45 8946 2316
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
> This email (including any attachments or links) may contain
> confidential and/or legally privileged information and is
> intended only to be read or used by the addressee. If you
> are not the intended addressee, any use, distribution,
> disclosure or copying of this email is strictly
> prohibited.
> Confidentiality and legal privilege attached to this email
> (including any attachments) are not waived or lost by
> reason of its mistaken delivery to you.
> If you have received this email in error, please delete it
> and notify us immediately by telephone or email. Peter
> MacCallum Cancer Centre provides no guarantee that this
> transmission is free of virus or that it has not been
> intercepted or altered and will not be liable for any delay
> in its receipt.
>
--
Best regards,
Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316
More information about the Freeipa-users
mailing list