On Mon, 13 Apr 2015, Gould, Joshua wrote:
I’ve looked at the docs and it looks as if I can specify an external
user who can have sudo rights via IPA.


The issue being that when I try to add my AD Trust user, it doesn’t
allow the @ sign. (ex. gould@test.osuwmc).

If I modify the sudo rule to allow all users, I can see that it allows
my AD account sudo rights.

$ sudo –l

User gould@test.osuwmc may run the following commands on this host:
   (ALL : ALL) ALL

How can I configure the rule to allow certain AD users to be able to
execute certain sudo rules?
Through external users' groups mechanism we use for any other AD users
mapping in HBAC and SUDO. These are not local (not defined in IPA but
defined on the host) groups and users but rather AD groups and users.

ipa group-add --external gould_group_ext
ipa group-add-member gould_group_ext --external=gould@test.osuwmc
ipa group-add gould_group
ipa group-add-member gould_group --groups=gould_group_ext

And now make sudo rule that allows users of gould_group to run needed
commands. SSSD will pull in all membership information for gould_group,
including AD users.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to