Hi guys,

I've been trying to get sudo to work for our day-to-day admin who have
their own usergroup in IPA called subadmin.

For some reason I can't really get sudo to work, I suspect I am missing
something simple, but I can't really figure out what it is.

This is my config:

# ipa sudorule-find
1 Sudo Rule matched
  Rule name: All
  Enabled: TRUE
  Host category: all
  Command category: all
  User Groups: subadmin
Number of entries returned 1

# ipa group-find subadmin
1 group matched
  Group name: subadmin
  Description: For daily administration of users and hosts
  GID: 10003
  Member users: abr-sadm, pmd-sadm, tba-sadm, bja-sadm, alberto-ibm
  Roles: Sub-admins
  Member of Sudo rule: All
Number of entries returned 1

And on a client:

# cat /etc/sssd/sssd.conf 

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = kac.sblokalnet
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = kac-man-001.kac.lokalnet
chpass_provider = ipa
ipa_server = _srv_, kac-adm-001.kac.lokalnet
ldap_tls_cacert = /etc/ipa/ca.crt
autofs_provider = ipa
ipa_automount_location = default
krb5_renewable_lifetime = 50d
krb5_renew_interval = 3600
services = nss, sudo, pam, autofs, ssh
config_file_version = 2

domains = kac.lokalnet
homedir_substring = /home








passwd:     files sss
shadow:     files sss
group:      files sss
#initgroups: files

#hosts:     db files nisplus nis dns
hosts:      files dns myhostname

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  sss files
aliases:    files nisplus
sudoers:    files sss

And for a subadmin account:

-sh-4.2$ sudo -l
[sudo] password for tba-sadm: 
Your password will expire in 6 day(s).
User tba-sadm is not allowed to run sudo on kac-man-001.

Any suggestions?  Help is much appreciated.



Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to