Our sudo is set up to use local files with the rule citing a group, with the 
group in IPA. sssd gets a fresh groups list for the user at login, so there 
should be no caching issues. This should be sufficient if you’re just 
interested in sudo root or a few fairly fixed things. If you’re using sudo in 
more complex ways and the requirements change a lot, then having the whole 
thing in IPA would certainly be a win.

On Nov 9, 2017, at 8:48 AM, Andrew Meyer via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:

Ok so I did that and the rules are coming down just like I thought:

[user1@jira02 ~]$ sudo -l
Matching Defaults entries for rob.lloyd on jira02:
    !visiblepw, always_set_home, match_group_by_gid, env_reset, 
env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL 
PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE 
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", 
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", 
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User user1 may run the following commands on jira02:
    (ALL : ALL) NOPASSWD: /usr/bin/su - jira,/usr/bin/sudo su - jira,/bin/su - 
jira,/bin/sudo - jira
[user1@jira02 ~]$

But i'm not able to execute...I will look into the debugger and see what I get. 
 This is all new territory for me.  If you have any ideas, thank you in advance.


On Thursday, November 9, 2017 1:47 AM, Jakub Hrozek via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:


On Thu, Nov 09, 2017 at 02:07:03AM +0000, Andrew Meyer via FreeIPA-users wrote:
> Hello, I am trying to setup a few of my users to have the ability to su - 
> jira or another user using FreeIPA.
> Here is what happens when I am logged in as the user and try to su - jira
> [user1@jira02<mailto:user1@jira02> ~]$ sudo su - process[sudo] password for 
> user1:Sorry, user user1 is not allowed to execute '/bin/su - jira' as root on 
> jira02.example.net<http://jira02.example.net>.[user1@jira02<mailto:user1@jira02>
>  ~]$
> [andrew.meyer@jira02<mailto:andrew.meyer@jira02> ~]$ ipa sudorule-show 
> su_jira  Rule name: su_jira  Enabled: TRUE  Host category: all  RunAs User 
> category: all  RunAs Group category: all  User Groups: developers, 
> ops_sudoers  Sudo Allow Command Groups: jira_access  Sudo Option: 
> !authenticate[andrew.meyer@jira02<mailto:andrew.meyer@jira02> ~]$
>
> [andrew.meyer@jira02<mailto:andrew.meyer@jira02> ~]$ ipa sudocmd-find 
> su_jira_cmds----------------------1 Sudo Command 
> matched----------------------  Sudo Command: /usr/bin/su - jira,/usr/bin/sudo 
> su - jira,/bin/su - jira,/bin/sudo - jira  Description: 
> su_jira_cmds----------------------------Number of entries returned 
> 1----------------------------
> What am I doing wrong?

I would first run "sudo -l" to see if the user is able to run any sudo
commands at all.

Then I'd proceed to sudo debugging from
https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html#obtaining-logs<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.pagure.org%2FSSSD.sssd%2Fusers%2Fsudo_troubleshooting.html%23obtaining-logs&data=02%7C01%7Chedrick%40rutgers.edu%7C0d27a7e55c1544f0577d08d52778b7be%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636458321797558546&sdata=Po8Z%2FCZDAObeD3k%2BW0HRlb00lbcMBPINWVzwyOGSWuo%3D&reserved=0>
to see what data was transferred to sudo and how did sudo evaluate them.

_______________________________________________
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org>


_______________________________________________
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org>

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to