Hi, Sounds to complex, dont nest, KISS, Keep It Simple and Stupid.
regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: [email protected] [[email protected]] on behalf of Sina Owolabi [[email protected]] Sent: Wednesday, 12 June 2013 11:56 a.m. To: [email protected] Subject: [Freeipa-users] Sudo Commands and groups confusion Hi Please help me understand what I am doing wrong: Im using two RHEL6.4 ipa servers in a multi-master configuration Instead of creating multiple sudocmdgroups and sudo rules, I tried to subset what I could see in the /etc/sudoers files and have nested command groups and rules, to be applied to certain users and hostgroups as needed. I have a hostgroup called allservers, which applies to all servers. The allservers hostgroup is a member of sudo rule admin-commands, which I created for specific users to be able to run admin commands on all servers. I have added as members, multiple sudogroups, each of which have a number of commands inside of them. Despite this, I find that sudo does not allow me to run any command as the users added to the admin-command rule. Please help me see where my logic is broken, and what to do to fix. Thanks a lot in advance. My sudo-ldap.conf is correctly configured, and so is nsswitch.conf. Output is below: sudo service httpd status [sudo] password for tuser: tuser is not allowed to run sudo on waphost. This incident will be reported. ipa sudorule-find admin-commands ------------------- 1 Sudo Rule matched ------------------- Rule name: admin-commands Enabled: TRUE Users: tuser Host Groups: allservers Sudo Allow Command Groups: locate, networking, rooting, services, software, storage Sudo Option: !authenticate ---------------------------- Number of entries returned 1 ---------------------------- -- best regards, Sina Owolabi +2348034022578 +2348176469061
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
