On Wed, Jun 12, 2013 at 1:56 AM, Sina Owolabi <[email protected]> wrote: > Hi > Please help me understand what I am doing wrong: > > Im using two RHEL6.4 ipa servers in a multi-master configuration > Instead of creating multiple sudocmdgroups and sudo rules, I tried to subset > what I could see in the /etc/sudoers files and have nested command groups > and rules, to be applied to certain users and hostgroups as needed. > I have a hostgroup called allservers, which applies to all servers. > > The allservers hostgroup is a member of sudo rule admin-commands, which I > created for specific users to be able to run admin commands on all servers. > I have added as members, multiple sudogroups, each of which have a number of > commands inside of them. Despite this, I find that sudo does not allow me to > run any command as the users added to the admin-command rule. Please help me > see where my logic is broken, and what to do to fix. Thanks a lot in > advance.
we have deployed sudo accross all our ipa nodes with cfengine. The configuration you need is this: /etc/sudo-ldap.conf (permissions 640) TLS_CACERT /etc/ipa/ca.crt TLS_REQCERT demand SASL_MECH GSSAPI BASE dc=domain,dc=tld URI ldaps://kdc1.domain.tld ldaps://kdc2.domain.tld ROOTUSE_SASL on SUDOERS_BASE ou=sudoers,dc=,dc=domain,dc=tld SUDOERS_DEBUG 0 if you need debugging, change SUDOERS_DEBUG to 1 in /etc/nsswitch.conf, you need to have this: sudoers: files ldap sudo needs a nisdomain defined, so in all the nodes you can edit the /etc/sysconfig/network file and add something like this: NISDOMAIN=domain.tld after which a reboot is needed. When you log in the node, in the shell you enter $ nisdomainname and you need to see your ipa domain name in there. If you have a configuration management system modify these files for you, do not forget to restore the selinux context in /etc if selinux is enabled. After that, create a sudo rule. This is our admins sudo rule: $ ipa sudorule-show admins Rule name: admins Description: admins may run any command on anyhost Enabled: TRUE Host category: all Command category: all User Groups: admins Sudo Option: !authenticate It works. I have not yet created other sudo rules limited to a set of hosts/commands, but it should be straight forward. -- natxo _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
