On 01/10/2014 04:52 PM, Fred van Zwieten wrote: > Yes, you would expect that to help, wouldn't you :-)
Yes, I would :-) > > Didn't even know this existed. Thanks for that. > > User has 3 sudo rules. I have set the allow_all rule to 1, the second rule > to 2 and the cobbler (with the "!authenticate" option) rule to 99: What is the version of the SUDO on your system? According to http://www.sudo.ws/sudoers.ldap.man.html it was implemented in SUDO 1.7.5. Martin > > User ******** may run the following commands on this host: > (root) ALL > (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, /bin/more, > /usr/bin/less, !/bin/su > (root) NOPASSWD: /usr/bin/cobbler > (root) !/bin/su > > Nope. Didn't help. > > Fred > > On Fri, Jan 10, 2014 at 3:59 PM, Martin Kosek <mko...@redhat.com> wrote: > >> On 01/10/2014 11:52 AM, Fred van Zwieten wrote: >>> Hi, >>> >>> I have a sudo rule in IPA that has the !authenticate option added to >> enable >>> admins to execute certain programs as root without authentication. >>> >>> It doesn't work. There is another rule for the admins that allow all >>> commands as long as they give their password. >>> >>> In a sudoers file, you can solve this by specifing the nopasswd rule as >>> last. >>> >>> sudo -l from an IPA-client gives me this: >>> >>> *******@svr001 ~]$ sudo -l >>> Matching Defaults entries for ******* on this host: >>> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS >>> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL >> PS1 >>> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE >>> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY >>> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL >>> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", >>> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin >>> >>> User ******** may run the following commands on this host: >>> (root) NOPASSWD: ALL >>> (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, >> /bin/more, >>> /usr/bin/less, !/bin/su >>> (root) NOPASSWD: /usr/bin/cobbler >>> (root) !/bin/su >>> >>> I want the cobbler command to run without password authentication. What >> am >>> I doing wrong? >>> >> >> Would setting SUDO rule order help? >> >> # ipa sudorule-mod -h >> ... >> --order=INT integer to order the Sudo rules >> ... >> >> Martin >> >> > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users