On Fri, Aug 29, 2014 at 09:30:55AM +0300, Tevfik Ceydeliler wrote: > > Here is my configuration adn client output. I dont know what is wrong
Please keep the freeipa-users list in the CC list; other users might run into the same problem. > ======================================================= > Server Side: > [root@srv ~]# ipa sudorule-find > ------------------- > 1 Sudo Rule matched > ------------------- > Rule name: log-reading > Enabled: TRUE > Users: kduser1, user1 > Hosts: clnt2.ipa.grp, clnt.ipa.grp > Sudo Allow Commands: /usr/bin/less, /usr/bin/vi, /usr/bin/yum, > /usr/bin/apt- > get > Sudo Option: !authenticate > ---------------------------- > Number of entries returned 1 > ---------------------------- > > > And client side: > 1. nsswitch.con: > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat sss > group: compat sss > shadow: compat > > hosts: files mdns4_minimal [NOTFOUND=return] dns > networks: files > > protocols: sss files > services: sss files > ethers: sss files > rpc: sss files > > netgroup: nis sss > sudoers: files sss > sudoers_debug: 1 > > 2. sssd.conf: > > [domain/ipa.grp] > krb5_realm = IPA.GRP > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = ipa.grp > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = clnt.ipa.grp > chpass_provider = ipa > ipa_dyndns_update = True > ipa_server = _srv_, srv.ipa.grp > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > services = nss, pam, ssh, sudo > config_file_version = 2 > domains = ipa.grp > [nss] > homedir_substring = /home > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > ldap_sudo_search_base = ou=sudoers,ou=ipa,dc=grp > ldap_sasl_mech = GSSAPI > ldap=sasl_authid = host/cnlt2.ipa.grp > ldap_sasl_realm = IPA.GRP > ldap_netgroup_search_base = ou=SUDOers,dc=ipa,dc=grp > sudo_provider = ldap > ldap_uri = ldap://srv.ipa.grp > krb5_server = srv.ipa.grp These options belong to the [domain] section, you put them into the [pac] section. > > When I try to use sudo: > > user1@clnt:~$ sudo -i user1 vi apt-get update > [sudo] password for user1: > Sorry, user user1 is not allowed to execute '/bin/bash -c user1 vi apt-get > update' as root on clnt.ipa.grp. > user1@clnt:~$ > > ======================================================= > On 28-08-2014 17:21, Jakub Hrozek wrote: > >On Thu, Aug 28, 2014 at 02:53:35PM +0300, Tevfik Ceydeliler wrote: > >>After configuration, for example, I try to create policiy about sudo > >>command, let's say I want to run "apt-get" command bu sudoas client > >> > >>How can I use it in client side? > >>Any example? > >I still don't understand what you mean, did you check out the 'ipa > >sudorule-add-runasuser' command? > > -- > > > <br> > <img src="http://www.yasar.com.tr/banner/yhbanner.jpg";> </img> > <br><br> > Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar > sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu > mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. > Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen > kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information > contained in this e-mail and any files transmitted with it are intended > solely for the use of the individual or entity to whom they are addressed and > Yasar Group Companies do not accept legal responsibility for the contents. If > you are not the intended recipient, please immediately notify the sender and > delete it from your system. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
![http://www.yasar.com.tr/banner/yhbanner.jpg"](http://www.yasar.com.tr/banner/yhbanner.jpg"){kind=link}