[Freeipa-users] what is the sudo rule runasuser local user account

Baird, Josh jbaird at follett.com
Thu Feb 4 16:00:50 UTC 2016 

Actually, I use local (external) users in my sudo rules in IPA 4.2 with no problem.

Example:

  Rule name: TestDBAs
  Description: access for members of the TestDBAs group
  Enabled: TRUE
  Command category: all
  User Groups: testdbas
  Host Groups: corp_oracle
  RunAs External User: oracle

In this example, 'oracle' is a local user on the server (not in IPA).  I hope this functionality does not go away.

Thanks,

Josh

> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> bounces at redhat.com] On Behalf Of Rob Verduijn
> Sent: Thursday, February 04, 2016 10:54 AM
> To: Jakub Hrozek
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] what is the sudo rule runasuser local user
> account
> 
> On Centos7.2 all patches applied I used the command:
> ipa-client-install --enable-dns-updates
> 
> Rob
> 
> 2016-02-04 16:45 GMT+01:00 Jakub Hrozek <jhrozek at redhat.com>:
> > On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote:
> >> Hello,
> >>
> >> I've noticed that the sudorule-add-runasuser no longer has en
> >> --external option
> >>
> >> What is the current method to add a local service account to a sud
> >> rule list so that users may run sudo as that service account (ie
> >> apache or jboss)
> >>
> >> Cheers
> >> Rob Verudijn
> >
> > I know I'm not answering your question but how did you configure the
> > client side earlier? Did you use the native/legacy sudo ldap driver?
> >
> > The reason I'm asking this is that sssd only supports users it
> > handles, so in the IPA case it only supports IPA users anyway..
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list