I moved these configuration lines under [domain] section. Then reboot the client. But same result..

On 29-08-2014 11:27, Jakub Hrozek wrote:
On Fri, Aug 29, 2014 at 09:30:55AM +0300, Tevfik Ceydeliler wrote:
Here is my configuration adn client output. I dont know what is wrong
Please keep the freeipa-users list in the CC list; other users might run
into the same problem.

=======================================================
Server Side:
[root@srv ~]# ipa sudorule-find
-------------------
1 Sudo Rule matched
-------------------
   Rule name: log-reading
   Enabled: TRUE
   Users: kduser1, user1
   Hosts: clnt2.ipa.grp, clnt.ipa.grp
   Sudo Allow Commands: /usr/bin/less, /usr/bin/vi, /usr/bin/yum,
/usr/bin/apt-
                        get
   Sudo Option: !authenticate
----------------------------
Number of entries returned 1
----------------------------


And client side:
1. nsswitch.con:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat sss
group:          compat sss
shadow:         compat

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      sss files
services:       sss files
ethers:         sss files
rpc:            sss files

netgroup:       nis sss
sudoers:        files sss
sudoers_debug:  1

2. sssd.conf:

[domain/ipa.grp]
krb5_realm = IPA.GRP
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.grp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = clnt.ipa.grp
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, srv.ipa.grp
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = ipa.grp
[nss]
homedir_substring = /home
[pam]

[sudo]

[autofs]

[ssh]

[pac]

ldap_sudo_search_base = ou=sudoers,ou=ipa,dc=grp
ldap_sasl_mech = GSSAPI
ldap=sasl_authid = host/cnlt2.ipa.grp
ldap_sasl_realm = IPA.GRP
ldap_netgroup_search_base = ou=SUDOers,dc=ipa,dc=grp
sudo_provider = ldap
ldap_uri = ldap://srv.ipa.grp
krb5_server = srv.ipa.grp
These options belong to the [domain] section, you put them into the
[pac] section.

When I try to use sudo:

user1@clnt:~$ sudo -i user1 vi apt-get update
[sudo] password for user1:
Sorry, user user1 is not allowed to execute '/bin/bash -c user1 vi apt-get
update' as root on clnt.ipa.grp.
user1@clnt:~$

=======================================================
On 28-08-2014 17:21, Jakub Hrozek wrote:
On Thu, Aug 28, 2014 at 02:53:35PM +0300, Tevfik Ceydeliler wrote:
After configuration, for example, I try to create policiy about sudo
command, let's say I want to run "apt-get" command bu sudoas client

How can I use it in client side?
Any example?
I still don't understand what you mean, did you check out the 'ipa
sudorule-add-runasuser' command?
--


<br>
<img src="http://www.yasar.com.tr/banner/yhbanner.jpg";> </img>
<br><br>
Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.

--


<br>
<img src="http://www.yasar.com.tr/banner/yhbanner.jpg";> </img>
<br><br>
Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to