We have one "allow all" sudo rule (anyone, any host, any command).
Matching Defaults entries for root on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User root may run the following commands on this host: (ALL) ALL My sssd.conf has: [domain/unixdev.etc] ... sudo_provider = ldap ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = unixdev.petermac.org.au debug_level = 6 [sudo] debug_level = 6 but only on the server - does that need to filter down to each client? The client side sssd.confs seem to be auto created when ipa-client-install is run, and are stripped down... cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 19 September 2016 at 18:21, Lukas Slebodnik <lsleb...@redhat.com> wrote: > On (19/09/16 16:43), Lachlan Musicman wrote: > >I must have made an error again: > > > >- ipa hbactest gives seemingly correct answer on both server and client > >- user can't actually use sudo on client? > > > >Centos 7, freeipa 4.2.o/2.156; sssd 1.14.1 from COPR > > > >>From the server: > > > >[root@vmdv-linuxidm1 ~]# ipa hbactest --user=lsimp...@petermac.org.au > >--host=vmts-linuxclient1.unixdev.petermac.org.au --service=sudo > >-------------------- > >Access granted: True > >-------------------- > > Matched rules: Cluster Admin Users (sudo) > > Not matched rules: Cluster Users > >[root@vmdv-linuxidm1 ~]# > > > > > >>From the host in question: > > > >[root@vmts-linuxclient1 ~]# ipa hbactest --user lsimp...@petermac.org.au > >--host `hostname` --service sudo > >-------------------- > >Access granted: True > >-------------------- > > Matched rules: Cluster Admin Users (sudo) > > Not matched rules: Cluster Users > >[root@vmts-linuxclient1 ~]# > > > > > >[lsimp...@petermac.org.au@vmts-linuxclient1 ~]$ sudo reboot > >[sudo] password for lsimp...@petermac.org.au: > >lsimp...@petermac.org.au is not allowed to run sudo on vmts-linuxclient1. > >This incident will be reported. > > > Did you configure sudo rules for such user? > What is an output of "sudo -l" > > LS >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project