[Freeipa-users] can't get sudo to work.

Jeff Goddard jgoddard at emerlyn.com
Tue Aug 23 12:13:27 UTC 2016 

Not sure if it's related or not but I also reported an instance of similar
behavior of this on Ubuntu 16.0.1

On Tue, Aug 23, 2016 at 2:24 AM, Tony Brian Albers <tba at statsbiblioteket.dk>
wrote:

> Hi guys,
>
> I've been trying to get sudo to work for our day-to-day admin who have
> their own usergroup in IPA called subadmin.
>
> For some reason I can't really get sudo to work, I suspect I am missing
> something simple, but I can't really figure out what it is.
>
> This is my config:
>
> # ipa sudorule-find
> -------------------
> 1 Sudo Rule matched
> -------------------
>   Rule name: All
>   Enabled: TRUE
>   Host category: all
>   Command category: all
>   User Groups: subadmin
> ----------------------------
> Number of entries returned 1
> ----------------------------
> #
>
>
>
>
> # ipa group-find subadmin
> ---------------
> 1 group matched
> ---------------
>   Group name: subadmin
>   Description: For daily administration of users and hosts
>   GID: 10003
>   Member users: abr-sadm, pmd-sadm, tba-sadm, bja-sadm, alberto-ibm
>   Roles: Sub-admins
>   Member of Sudo rule: All
> ----------------------------
> Number of entries returned 1
> ----------------------------
> #
>
>
>
>
>
> And on a client:
>
> # cat /etc/sssd/sssd.conf
> [domain/kac.lokalnet]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = kac.sblokalnet
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = kac-man-001.kac.lokalnet
> chpass_provider = ipa
> ipa_server = _srv_, kac-adm-001.kac.lokalnet
> ldap_tls_cacert = /etc/ipa/ca.crt
> autofs_provider = ipa
> ipa_automount_location = default
> krb5_renewable_lifetime = 50d
> krb5_renew_interval = 3600
> [sssd]
> services = nss, sudo, pam, autofs, ssh
> config_file_version = 2
>
> domains = kac.lokalnet
> [nss]
> homedir_substring = /home
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
>
>
>
>
>
>
> nsswitch.conf:
>
> passwd:     files sss
> shadow:     files sss
> group:      files sss
> #initgroups: files
>
> #hosts:     db files nisplus nis dns
> hosts:      files dns myhostname
>
> # Example - obey only what nisplus tells us...
> #services:   nisplus [NOTFOUND=return] files
> #networks:   nisplus [NOTFOUND=return] files
> #protocols:  nisplus [NOTFOUND=return] files
> #rpc:        nisplus [NOTFOUND=return] files
> #ethers:     nisplus [NOTFOUND=return] files
> #netmasks:   nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files sss
>
> netgroup:   files sss
>
> publickey:  nisplus
>
> automount:  sss files
> aliases:    files nisplus
> sudoers:    files sss
>
>
>
>
> And for a subadmin account:
>
> -sh-4.2$ sudo -l
> [sudo] password for tba-sadm:
> Your password will expire in 6 day(s).
> User tba-sadm is not allowed to run sudo on kac-man-001.
> -sh-4.2$
>
>
>
> Any suggestions?  Help is much appreciated.
>
> TIA
>
> /tony
>
> --
> Best regards,
>
> Tony Albers
> Systems administrator, IT-development
> State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
> Tel: +45 8946 2316
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160823/98e3a0f8/attachment.htm>

More information about the Freeipa-users mailing list