my 2 cents,
1) There should I think be a HBAC rule and a sudo rule pair, I think you need
both. For the HBAC rule with limited permissions you need the sudo privaledge
and access say ssh and /or login, so at least 2, so when you say "1" it might
be that? I dont know how you are getting access, it sounds possible.
2) or you have the bug I have it looks possible as well,
Are you putting the host into a host group and using that host group in the
There is a bug that stops that working, so in the sudo rule delete the host
group and add the server server/host itself and see if that works.
If so you have the bug, I find deleting the HBAC and sudo rules and starting
again from scratch sometimes works, sometimes doesnt. I have 30~50% of my sudo
rules with individial hosts and not groups because of this.
If your problem is like mine, and you have RH support on RHEL? then raise a
case, my one is #6963677 so I'd ask for it to be linked but its been open since
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Macklin, Jason [jason.mack...@roche.com]
Sent: Tuesday, 16 October 2012 9:34 a.m.
Subject: [Freeipa-users] Sudo works for full access, but not on a per command
or host level.
I apologize up front if this is obvious, but I’m having issues configuring sudo
I currently have an IPA server running FreeIPA 2.2 with sudo configured for our
administrators on all hosts. This works fantastic! As soon as I attempt to
configure a more specific sudo rule it does not work. In my troubleshooting, I
have noticed that from the same host my admin level privileges work, but with
another user account setup to just run one command, it fails. I have turned on
sudo debugging and the only thing I can find that looks out of sorts is the
As soon as I move the user account that is failing into the admin group it
starts to work.
I have attempted every iteration of sudo configuration on the server that I can
think of. I have setup HBAC and given that a shot as well. At this point I’m
completely stumped and would appreciate any help that I can get!
Thank you in advance for your assistance,
Freeipa-users mailing list