Hi all, On a brand new install, sudo for hostgroup seems not to work. Ik create a sudo rule for admins, only to to "averything" on all servers within the hostgroup "ipaservers":
Rule name: s3_sudo_freeipa_admins Enabled: TRUE Command category: all RunAs User category: all RunAs Group category: all User Groups: admins Host Groups: ipaservers However, user admins is not allowed to to so: admin@freeipa1 ~]$ sudo -l [sudo] password for admin: Sorry, user admin may not run sudo on freeipa1. Removing the group but adding the two FreeIPA-servers: Rule name: s3_sudo_freeipa_admins Enabled: TRUE Command category: all RunAs User category: all RunAs Group category: all User Groups: admins Hosts: freeipa1.example.local, freeipa2.example.local After cleaning the sssd-cache: sudo -l [sudo] password for admin: Matching Defaults entries for admin on freeipa1: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User admin may run the following commands on freeipa1: (ALL : ALL) ALL There are not clients yet, this issues was reproduced on a brand new CentOS 7.5 IPA installation with no modifications or else... What's hapening here? Winfried
signature.asc
Description: This is a digitally signed message part
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org