Hello, i'm having some trouble getting sudoers to work.  
I have 5 machines joined to the FreeIPA domain and I have a user group called 
ops and ops_sudoers.  Both have permission to full sudo.  

[andrew.meyer@jira02 ~]$ ipa sudorule-find ALL-------------------1 Sudo Rule 
matched-------------------  Rule name: All  Enabled: TRUE  Host category: all  
Command category: all  Sudo Option: 
!authenticate----------------------------Number of entries returned 
1----------------------------
[andrew.meyer@jira02 ~]$ ipa sudorule-show ALL  Rule name: All  Enabled: TRUE  
Host category: all  Command category: all  Users: brian.keithly, andrew.meyer  
User Groups: ops_sudoers, ops  RunAs Users: process  Sudo Option: !authenticate
[andrew.meyer@jira02 ~]$ sudo su -[sudo] password for andrew.meyer:Sorry, user 
andrew.meyer is not allowed to execute '/bin/su -' as root on 
jira02.mgt.example.net.[andrew.meyer@jira02 ~]$
My HBAC is set to allow_all.
[root@jira02 log]# cat /etc/sssd/sssd.conf[domain/mgt.example.net]
cache_credentials = Truekrb5_store_password_if_offline = Truekrb5_realm = 
EXAMPLE.NETipa_domain = mgt.example.netid_provider = ipaauth_provider = 
ipaaccess_provider = ipaipa_hostname = jira02.mgt.example.netchpass_provider = 
ipadyndns_update = Trueipa_server = _srv_, 
infra-test-ipa.example.netdyndns_iface = ens160ldap_tls_cacert = 
/etc/ipa/ca.crt[sssd]services = nss, pam, ssh, sudo
domains = mgt.example.net[nss]homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[root@jira02 log]#
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to