On 01/08/2015 10:45 AM, Pavel Březina wrote: > On 01/07/2015 06:32 PM, Craig White wrote: >> Still struggling with this... >> >> $ sudo /sbin/service pe-puppet restart >> [sudo] password for rundeck: >> Stopping puppet: [ OK ] >> Starting puppet: [ OK ] >> >> So it asks for the password even though, via FreeIPA it isn't required... >> >> $ sudo -l >> Matching Defaults entries for rundeck on this host: >> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS >> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 >> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE >> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY >> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL >> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", >> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin >> >> User rundeck may run the following commands on this host: >> (root) ALL >> (ALL) NOPASSWD: ALL > > Hi, > thank you, I was just going to ask you for sudo -l. I believe that the problem > is that (root) ALL rule takes precedence. Or to be more precise, the first > rule > that matches is always applied, unless sudoOrder attribute is present (but > that > is not supported by IPA, is it?).
JFTR, sudoOrder *is* supported in FreeIPA, since FreeIPA 3.3.4 (upstream ticket https://fedorahosted.org/freeipa/ticket/4107). Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project