On Thu, Nov 09, 2017 at 02:07:03AM +0000, Andrew Meyer via FreeIPA-users wrote:
> Hello, I am trying to setup a few of my users to have the ability to su - 
> jira or another user using FreeIPA.
> Here is what happens when I am logged in as the user and try to su - jira
> [user1@jira02 ~]$ sudo su - process[sudo] password for user1:Sorry, user 
> user1 is not allowed to execute '/bin/su - jira' as root on 
> jira02.example.net.[user1@jira02 ~]$
> [andrew.meyer@jira02 ~]$ ipa sudorule-show su_jira  Rule name: su_jira  
> Enabled: TRUE  Host category: all  RunAs User category: all  RunAs Group 
> category: all  User Groups: developers, ops_sudoers  Sudo Allow Command 
> Groups: jira_access  Sudo Option: !authenticate[andrew.meyer@jira02 ~]$
> 
> [andrew.meyer@jira02 ~]$ ipa sudocmd-find su_jira_cmds----------------------1 
> Sudo Command matched----------------------  Sudo Command: /usr/bin/su - 
> jira,/usr/bin/sudo su - jira,/bin/su - jira,/bin/sudo - jira  Description: 
> su_jira_cmds----------------------------Number of entries returned 
> 1----------------------------
> What am I doing wrong?

I would first run "sudo -l" to see if the user is able to run any sudo
commands at all.

Then I'd proceed to sudo debugging from
https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html#obtaining-logs
to see what data was transferred to sudo and how did sudo evaluate them.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to