On Wed, Jun 12, 2013 at 1:56 AM, Sina Owolabi <shinacaly...@gmail.com> wrote:
> Please help me understand what I am doing wrong:
> Im using two RHEL6.4 ipa servers in a multi-master configuration
> Instead of creating multiple sudocmdgroups and sudo rules, I tried to subset
> what I could see in the /etc/sudoers files and have nested command groups
> and rules, to be applied to certain users and hostgroups as needed.
> I have a hostgroup called allservers, which applies to all servers.
> The allservers hostgroup is a member of sudo rule admin-commands, which I
> created for specific users to be able to run admin commands on all servers.
> I have added as members, multiple sudogroups, each of which have a number of
> commands inside of them. Despite this, I find that sudo does not allow me to
> run any command as the users added to the admin-command rule. Please help me
> see where my logic is broken, and what to do to fix. Thanks a lot in
we have deployed sudo accross all our ipa nodes with cfengine. The
configuration you need is this:
/etc/sudo-ldap.conf (permissions 640)
URI ldaps://kdc1.domain.tld ldaps://kdc2.domain.tld
if you need debugging, change SUDOERS_DEBUG to 1
in /etc/nsswitch.conf, you need to have this:
sudoers: files ldap
sudo needs a nisdomain defined, so in all the nodes you can edit the
/etc/sysconfig/network file and add something like this:
after which a reboot is needed. When you log in the node, in the shell
and you need to see your ipa domain name in there.
If you have a configuration management system modify these files for
you, do not forget to restore the selinux context in /etc if selinux is
After that, create a sudo rule. This is our admins sudo rule:
$ ipa sudorule-show admins
Rule name: admins
Description: admins may run any command on anyhost
Host category: all
Command category: all
User Groups: admins
Sudo Option: !authenticate
It works. I have not yet created other sudo rules limited to a set of
hosts/commands, but it should be straight forward.
Freeipa-users mailing list