Ok, that was it: sssd Version: 1.12.5-1~trusty1 I inverted the sudoOrders: sudo -l Matching Defaults entries for karl on xxxx: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User karl may run the following commands on xxxx: (ALL) NOPASSWD: /usr/bin/less (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status (root) NOPASSWD: /bin/chgrp qbstaff *, /bin/chmod g[+-]* *, /bin/chmod -R g[+-]* * (ALL) ALL (ALL) ALL and I can use sudo less without password. Thanks a lot. On Thu, Oct 8, 2015 at 5:26 PM, Pavel Březina <pbrez...@redhat.com> wrote: > On 10/08/2015 04:26 PM, Karl Forner wrote: >> >> Hi, >> >> >>> you are prompted for password because (ALL) ALL rule is applied because >>> of last-match rule. > > > See: >>> http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder. >> >> >> Ok. I updated the rules to use a sudoorder attribute of 100 for the >> /usr/bin/less sudo rule. >> Now, if I type in a terminal: >> %sudo -l >> Matching Defaults entries for karl on midgard: >> env_reset, mail_badpass, >> >> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin >> >> User karl may run the following commands on xxxx: >> (ALL) ALL >> (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status >> (ALL) ALL >> (ALL) NOPASSWD: /usr/bin/less >> >> so my less rule is the last one. So far so good. >> >> %sudo -l less >> /usr/bin/less >> >> but if I type in a new terminal: >> %sudo less .bashrc >> [sudo] password for karl: >> >> I am prompted to type in a password. >> >> So there seems to be a problem, right ? >> >> Regards, >> Karl >> > > Hi, > we have a bug in sssd in versions prior 1.13.1: > https://fedorahosted.org/sssd/ticket/2682 > > where sudoOrder attribute is treated the other ways around. Please, try > inverting the order. What version of sssd do you use? > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project