Can you turn on debugging?

"sudoers_debug    2"

to /etc/sudo-ldap.conf (assumes RHEL6.3)

Also you could try adding the host directly to the sudo rule and not via a host 
group as that seems buggy....


Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

From: [] on 
behalf of Toasted Penguin []
Sent: Wednesday, 17 October 2012 10:24 a.m.
Subject: [Freeipa-users] Setting up sudo in FreeIPA v2.2

I have the server setup to manage sudo and I configured a target client to use 
the IPA server for sudo.  When a user tries to use sudo (in this case "sudo su 
-") it fails and they get the error "user is not allowed to run sudo on 
client-host.  This incident will be reported." I verified via the log files 
that the client is making requests to the IPA server when the user is attemping 
to use sudo and it fails.  I temporarily disabled using the IPA server for sudo 
and I get the standard "User not in the sudoers file...."

Its starting to look like the server rules maybe the issue but I believe I have 
the sudo rule setup correctly.  I created a sudo command "/bin/su", created a 
sudo rule "Sudo to root" , added the group the user in question is a part of to 
the WHO-->User Groups; Added the Host Group the target client host is part of 
to Access This Host-->Host Groups and added the sudo command to the sudo rule 
via Allow-->Sudo Allow Commands.  When I delete the sudo rule I get the same 
result as I did when I temporarily disbled the client host using tghe IPA 
server for sudo verification.

Any ideas why or where to look to figure out this issue?

Freeipa-users mailing list

Reply via email to