On 10/16/2012 06:04 PM, Rob Crittenden wrote: > Toasted Penguin wrote: >> I have the server setup to manage sudo and I configured a target client >> to use the IPA server for sudo. When a user tries to use sudo (in this >> case "sudo su -") it fails and they get the error "user is not allowed >> to run sudo on client-host. This incident will be reported." I verified >> via the log files that the client is making requests to the IPA server >> when the user is attemping to use sudo and it fails. I temporarily >> disabled using the IPA server for sudo and I get the standard "User not >> in the sudoers file...." >> Its starting to look like the server rules maybe the issue but I believe >> I have the sudo rule setup correctly. I created a sudo command >> "/bin/su", created a sudo rule "Sudo to root" , added the group the user >> in question is a part of to the WHO-->User Groups; Added the Host Group >> the target client host is part of to Access This Host-->Host Groups >> and added the sudo command to the sudo rule via Allow-->Sudo Allow >> Commands. When I delete the sudo rule I get the same result as I did >> when I temporarily disbled the client host using tghe IPA server for >> sudo verification. >> Any ideas why or where to look to figure out this issue? >> Thanks, >> David > > I took a look at the docs and they state to edit /etc/nscld.conf. You > want /etc/ldap.conf for the configuration. Can you give that a try? > > Adding sudoers_debug 2 should provide copious information on stdout. >
Also following another thread might help https://www.redhat.com/archives/freeipa-users/2012-October/msg00097.html > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users