Actually, I use local (external) users in my sudo rules in IPA 4.2 with no problem.
Example: Rule name: TestDBAs Description: access for members of the TestDBAs group Enabled: TRUE Command category: all User Groups: testdbas Host Groups: corp_oracle RunAs External User: oracle In this example, 'oracle' is a local user on the server (not in IPA). I hope this functionality does not go away. Thanks, Josh > -----Original Message----- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Rob Verduijn > Sent: Thursday, February 04, 2016 10:54 AM > To: Jakub Hrozek > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] what is the sudo rule runasuser local user > account > > On Centos7.2 all patches applied I used the command: > ipa-client-install --enable-dns-updates > > Rob > > 2016-02-04 16:45 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>: > > On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote: > >> Hello, > >> > >> I've noticed that the sudorule-add-runasuser no longer has en > >> --external option > >> > >> What is the current method to add a local service account to a sud > >> rule list so that users may run sudo as that service account (ie > >> apache or jboss) > >> > >> Cheers > >> Rob Verudijn > > > > I know I'm not answering your question but how did you configure the > > client side earlier? Did you use the native/legacy sudo ldap driver? > > > > The reason I'm asking this is that sssd only supports users it > > handles, so in the IPA case it only supports IPA users anyway.. > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project