On Tue, Jul 17, 2012 at 1:40 PM, KodaK <sako...@gmail.com> wrote: > On Tue, Jul 17, 2012 at 11:06 AM, Dmitri Pal <d...@redhat.com> wrote: >> On 07/17/2012 11:50 AM, KodaK wrote: >>> I've been banging my head on this for a couple of days, and I can't >>> find anything in the docs or by searching. >>> >>> I'm trying to do what I think should be pretty simple: I have a group >>> of users and an application account, all in IPA. I want users in that >>> group to be able to "sudo su - appacct". >>> >>> What I've found is that I probably can't do it exactly like that, so >>> now I'm trying "sudo -i appacct", but I can't get that to work either. >>> >>> My rule is set up like this: >>> >>> rule name: become-appacct >>> sudo option: -i appacct (I'm not sure this is right.) >>> user groups: admins, appgroup >>> host groups: apphostgroup >>> >>> Everything else is blank. Note that this is just the current >>> configuration, I've tried a bunch of iterations. >>> >>> Any help? >>> >>> Thanks, >>> >>> --Jason >>> >> If you are using IPA it internally has a different schema for sudo than >> the one published on the sudo web site >> http://git.fedorahosted.org/git/?p=freeipa.git;a=blob;f=install/share/65ipasudo.ldif;h=7a85c8659c33794d3127d208452dcb54ad34d59e;hb=HEAD >> >> It is then transformed into a traditional sudo schema using the compat tree. >> >> So what you need to do is make sure you create the right sudo rule. >> >> Your sudo rule should use: >> user groups: admins, appgroup >> host groups: apphostgroup >> command: sudo -i > > Thanks. I had some fighting to do to get sudo to talk to ldap on this > box, but I have that going now. > > If I understand you correctly, I've created a rule like you've > suggested. however, I get: > > Sorry, user jebalicki is not allowed to execute '/bin/bash -c > cdcadmin' as root on slncdcl01.unix.magellanhealth.com.
I got it. I was able to use: Rule name: become-cdcadmin Enabled: TRUE User Groups: admins, stsg Host Groups: cdchosts Sudo Allow Commands: /bin/su - cdcadmin I thought I tried that first, but I must have had something else wrong. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users