On 01/10/2014 11:52 AM, Fred van Zwieten wrote: > Hi, > > I have a sudo rule in IPA that has the !authenticate option added to enable > admins to execute certain programs as root without authentication. > > It doesn't work. There is another rule for the admins that allow all > commands as long as they give their password. > > In a sudoers file, you can solve this by specifing the nopasswd rule as > last. > > sudo -l from an IPA-client gives me this: > > *******@svr001 ~]$ sudo -l > Matching Defaults entries for ******* on this host: > requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS > DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 > PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE > LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY > LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL > LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", > secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > > User ******** may run the following commands on this host: > (root) NOPASSWD: ALL > (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, /bin/more, > /usr/bin/less, !/bin/su > (root) NOPASSWD: /usr/bin/cobbler > (root) !/bin/su > > I want the cobbler command to run without password authentication. What am > I doing wrong? >
Would setting SUDO rule order help? # ipa sudorule-mod -h ... --order=INT integer to order the Sudo rules ... Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users