On Tue, Jul 17, 2012 at 1:40 PM, KodaK <sako...@gmail.com> wrote:
> On Tue, Jul 17, 2012 at 11:06 AM, Dmitri Pal <d...@redhat.com> wrote:
>> On 07/17/2012 11:50 AM, KodaK wrote:
>>> I've been banging my head on this for a couple of days, and I can't
>>> find anything in the docs or by searching.
>>> I'm trying to do what I think should be pretty simple: I have a group
>>> of users and an application account, all in IPA. I want users in that
>>> group to be able to "sudo su - appacct".
>>> What I've found is that I probably can't do it exactly like that, so
>>> now I'm trying "sudo -i appacct", but I can't get that to work either.
>>> My rule is set up like this:
>>> rule name: become-appacct
>>> sudo option: -i appacct (I'm not sure this is right.)
>>> user groups: admins, appgroup
>>> host groups: apphostgroup
>>> Everything else is blank. Note that this is just the current
>>> configuration, I've tried a bunch of iterations.
>>> Any help?
>> If you are using IPA it internally has a different schema for sudo than
>> the one published on the sudo web site
>> It is then transformed into a traditional sudo schema using the compat tree.
>> So what you need to do is make sure you create the right sudo rule.
>> Your sudo rule should use:
>> user groups: admins, appgroup
>> host groups: apphostgroup
>> command: sudo -i
> Thanks. I had some fighting to do to get sudo to talk to ldap on this
> box, but I have that going now.
> If I understand you correctly, I've created a rule like you've
> suggested. however, I get:
> Sorry, user jebalicki is not allowed to execute '/bin/bash -c
> cdcadmin' as root on slncdcl01.unix.magellanhealth.com.
I got it. I was able to use:
Rule name: become-cdcadmin
User Groups: admins, stsg
Host Groups: cdchosts
Sudo Allow Commands: /bin/su - cdcadmin
I thought I tried that first, but I must have had something else wrong.
The government is going to read our mail anyway, might as well make it
tough for them. GPG Public key ID: B6A1A7C6
Freeipa-users mailing list