Sina Owolabi wrote:
Please help me understand what I am doing wrong:

Im using two RHEL6.4 ipa servers in a multi-master configuration
Instead of creating multiple sudocmdgroups and sudo rules, I tried to
subset what I could see in the /etc/sudoers files and have nested
command groups and rules, to be applied to certain users and hostgroups
as needed.
I have a hostgroup called allservers, which applies to all servers.

The allservers hostgroup is a member of sudo rule admin-commands, which
I created for specific users to be able to run admin commands on all
servers. I have added as members, multiple sudogroups, each of which
have a number of commands inside of them. Despite this, I find that sudo
does not allow me to run any command as the users added to the
admin-command rule. Please help me see where my logic is broken, and
what to do to fix. Thanks a lot in advance.
My sudo-ldap.conf is correctly configured, and so is nsswitch.conf.

Output is below:

  sudo service httpd status
[sudo] password for tuser:
tuser is not allowed to run sudo on waphost.  This incident will be

ipa sudorule-find admin-commands
1 Sudo Rule matched
   Rule name: admin-commands
   Enabled: TRUE
   Users: tuser
  Host Groups: allservers
   Sudo Allow Command Groups: locate, networking, rooting, services,
software, storage
   Sudo Option: !authenticate
Number of entries returned 1

Did you set your NIS domain name on the client machine? sudo uses netgroups which needs the NIS domain. By default IPA creates a managed netgroup for each hostgroup so one should be available with the right information.


Freeipa-users mailing list

Reply via email to