On 01/30/2017 01:38 AM, Jakub Hrozek wrote:
> On Fri, Jan 27, 2017 at 02:15:16PM -0700, Orion Poplawski wrote:
>> EL7.3
>> Users are in active directory via AD trust with IPA server
>>
>> sudo is configured via files - users in our default "nwra" group can run
>> certain sudo commands, e.g.:
>>
>> Cmnd_Alias WAKEUP = /sbin/ether-wake *
>> %nwra,%visitor,%ivm   ALL=NOPASSWD: WAKEUP
>>
>> However, sometimes when I run sudo /sbin/ether-wake I get prompted for my
>> password.  Other times it works fine.  I've attached some logs from failed
>> attempt.
> 
> So the sudo command is successfull in the end, it 'just' prompts for a
> password?

No, it fails when given the password:

Sorry, user USER is not allowed to execute '/sbin/ether-wake XXX' as root on 
HOST.

Turns out I'm an idiot.  Needed to run ipa-adtrust-install on all of the IPA
servers and make sure things were working on all of them.  Things would break
depending on which ipa server the client sssd was connected to.

-- 
Orion Poplawski
Technical Manager                          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       or...@nwra.com
Boulder, CO 80301                   http://www.nwra.com

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to