On Fri, Aug 29, 2014 at 09:30:55AM +0300, Tevfik Ceydeliler wrote:
> 
> Here is my configuration adn client output. I dont know what is wrong

Please keep the freeipa-users list in the CC list; other users might run
into the same problem.

> =======================================================
> Server Side:
> [root@srv ~]# ipa sudorule-find
> -------------------
> 1 Sudo Rule matched
> -------------------
>   Rule name: log-reading
>   Enabled: TRUE
>   Users: kduser1, user1
>   Hosts: clnt2.ipa.grp, clnt.ipa.grp
>   Sudo Allow Commands: /usr/bin/less, /usr/bin/vi, /usr/bin/yum,
> /usr/bin/apt-
>                        get
>   Sudo Option: !authenticate
> ----------------------------
> Number of entries returned 1
> ----------------------------
> 
> 
> And client side:
> 1. nsswitch.con:
> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> passwd:         compat sss
> group:          compat sss
> shadow:         compat
> 
> hosts:          files mdns4_minimal [NOTFOUND=return] dns
> networks:       files
> 
> protocols:      sss files
> services:       sss files
> ethers:         sss files
> rpc:            sss files
> 
> netgroup:       nis sss
> sudoers:        files sss
> sudoers_debug:  1
> 
> 2. sssd.conf:
> 
> [domain/ipa.grp]
> krb5_realm = IPA.GRP
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = ipa.grp
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = clnt.ipa.grp
> chpass_provider = ipa
> ipa_dyndns_update = True
> ipa_server = _srv_, srv.ipa.grp
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
> domains = ipa.grp
> [nss]
> homedir_substring = /home
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> ldap_sudo_search_base = ou=sudoers,ou=ipa,dc=grp
> ldap_sasl_mech = GSSAPI
> ldap=sasl_authid = host/cnlt2.ipa.grp
> ldap_sasl_realm = IPA.GRP
> ldap_netgroup_search_base = ou=SUDOers,dc=ipa,dc=grp
> sudo_provider = ldap
> ldap_uri = ldap://srv.ipa.grp
> krb5_server = srv.ipa.grp

These options belong to the [domain] section, you put them into the
[pac] section.

> 
> When I try to use sudo:
> 
> user1@clnt:~$ sudo -i user1 vi apt-get update
> [sudo] password for user1:
> Sorry, user user1 is not allowed to execute '/bin/bash -c user1 vi apt-get
> update' as root on clnt.ipa.grp.
> user1@clnt:~$
> 
> =======================================================
> On 28-08-2014 17:21, Jakub Hrozek wrote:
> >On Thu, Aug 28, 2014 at 02:53:35PM +0300, Tevfik Ceydeliler wrote:
> >>After configuration, for example, I try to create policiy about sudo
> >>command, let's say I want to run "apt-get" command bu sudoas client
> >>
> >>How can I use it in client side?
> >>Any example?
> >I still don't understand what you mean, did you check out the 'ipa
> >sudorule-add-runasuser' command?
> 
> -- 
> 
> 
> <br>
> <img src="http://www.yasar.com.tr/banner/yhbanner.jpg";> </img>
> <br><br>
> Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar 
> sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu 
> mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. 
> Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen 
> kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information 
> contained in this e-mail and any files transmitted with it are intended 
> solely for the use of the individual or entity to whom they are addressed and 
> Yasar Group Companies do not accept legal responsibility for the contents. If 
> you are not the intended recipient, please immediately notify the sender and 
> delete it from your system.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to