my 2 cents,

2 possibilities,

1) There should I think be a HBAC rule and a sudo rule pair, I think you need 
both.  For the HBAC rule with limited permissions you need the sudo privaledge 
and access say ssh and /or login,  so at least 2, so when you say "1" it might 
be that? I dont know how you are getting access, it sounds possible.

2) or you have the bug I have it looks possible as well,

Are you putting the host into a host group and using that host group in the 
sudo rule?

There is a bug that stops that working, so in the sudo rule delete the host 
group and add the server server/host itself and see if that works.

If so you have the bug, I find deleting the HBAC and sudo rules and starting 
again from scratch sometimes works, sometimes doesnt.  I have 30~50% of my sudo 
rules with individial hosts and not groups because of this.

If your problem is like mine, and you have RH support on RHEL?  then raise a 
case, my one is #6963677 so I'd ask for it to be linked but its been open since 



Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Macklin, Jason [jason.mack...@roche.com]
Sent: Tuesday, 16 October 2012 9:34 a.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Sudo works for full access, but not on a per command 
or host level.


I apologize up front if this is obvious, but I’m having issues configuring sudo 

I currently have an IPA server running FreeIPA 2.2 with sudo configured for our 
administrators on all hosts.  This works fantastic!  As soon as I attempt to 
configure a more specific sudo rule it does not work.  In my troubleshooting, I 
have noticed that from the same host my admin level privileges work, but with 
another user account setup to just run one command, it fails.  I have turned on 
sudo debugging and the only thing I can find that looks out of sorts is the 

sudo: host_matches=0

As soon as I move the user account that is failing into the admin group it 
starts to work.

I have attempted every iteration of sudo configuration on the server that I can 
think of.  I have setup HBAC and given that a shot as well.  At this point I’m 
completely stumped and would appreciate any help that I can get!

Thank you in advance for your assistance,
Freeipa-users mailing list

Reply via email to