Hi, Did you config HBAC to allow sudo, then in sudo rules, allow your sudo command, next would be adding HBAC rules to user groupâ? Sent from my BlackBerry 10 smartphone.
First 10 ipa clients I set up â no problem. Set up 2 more, perhaps this is a problem with the fact that these 2 hosts were on a totally new VLAN and the firewall rules werenât correct when I set them up. Been through the part on sudo here⦠http://www.freeipa.org/page/Troubleshooting nisdomainname is correct on the machines and also in /etc/sysconfig/network had to add âsudoâ to [sssd] services = nss, sudo, pam, ssh and restarted sssd though I donât know why it wasnât added automatically checked nsswitch.conf and netgroup is set to âfiles sssâ
getent netgroup hgroup1
returns nothing on machines where sudo works and doesnât work â canât tell the difference. Added âsudoers_debug 2â to /etc/sudo_ldap.conf but donât know where that logs And finally, on a machine where ipa users cannot sudo⦠# sudo -l Matching Defaults entries for root on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User root may run the following commands on this host: (ALL) ALL $ sudo -l [sudo] password for craig.white: Sorry, user craig.white may not run sudo on 599330-stash001. Craig White System Administrator O
623-201-8179
M 602-377-9752 SkyTouch Technology
4225 E. Windrose Dr. Phoenix, AZ 85032 | ||
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
