Andrew Meyer via FreeIPA-users wrote:
> Hello, i'm having some trouble getting sudoers to work.  
> 
> I have 5 machines joined to the FreeIPA domain and I have a user group
> called ops and ops_sudoers.  Both have permission to full sudo.  
> 
> 
> [andrew.meyer@jira02 ~]$ ipa sudorule-find ALL
> -------------------
> 1 Sudo Rule matched
> -------------------
>   Rule name: All
>   Enabled: TRUE
>   Host category: all
>   Command category: all
>   Sudo Option: !authenticate
> ----------------------------
> Number of entries returned 1
> ----------------------------
> 
> [andrew.meyer@jira02 ~]$ ipa sudorule-show ALL
>   Rule name: All
>   Enabled: TRUE
>   Host category: all
>   Command category: all
>   Users: brian.keithly, andrew.meyer
>   User Groups: ops_sudoers, ops
>   RunAs Users: process
>   Sudo Option: !authenticate
> 
> [andrew.meyer@jira02 ~]$ sudo su -
> [sudo] password for andrew.meyer:
> Sorry, user andrew.meyer is not allowed to execute '/bin/su -' as root
> on jira02.mgt.example.net.
> [andrew.meyer@jira02 ~]$
> 
> My HBAC is set to allow_all.
> 
> [root@jira02 log]# cat /etc/sssd/sssd.conf
> [domain/mgt.example.net]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> krb5_realm = EXAMPLE.NET
> ipa_domain = mgt.example.net
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = jira02.mgt.example.net
> chpass_provider = ipa
> dyndns_update = True
> ipa_server = _srv_, infra-test-ipa.example.net
> dyndns_iface = ens160
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, pam, ssh, sudo
> 
> domains = mgt.example.net
> [nss]
> homedir_substring = /home
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> [ifp]
> 
> [secrets]
> 
> [root@jira02 log]#

Start here:
https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to