(redface) It seems to be working.
Thanks ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 20 September 2016 at 09:57, Lachlan Musicman <data...@gmail.com> wrote: > We have one "allow all" sudo rule (anyone, any host, any command). > > Matching Defaults entries for root on this host: > requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS > DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 > PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE > LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY > LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL > LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", > secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > > User root may run the following commands on this host: > (ALL) ALL > > > My sssd.conf has: > > [domain/unixdev.etc] > ... > sudo_provider = ldap > ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au > ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au > ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU > krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > domains = unixdev.petermac.org.au > debug_level = 6 > > [sudo] > debug_level = 6 > > but only on the server - does that need to filter down to each client? The > client side sssd.confs seem to be auto created when ipa-client-install is > run, and are stripped down... > > cheers > L. > > ------ > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper > > On 19 September 2016 at 18:21, Lukas Slebodnik <lsleb...@redhat.com> > wrote: > >> On (19/09/16 16:43), Lachlan Musicman wrote: >> >I must have made an error again: >> > >> >- ipa hbactest gives seemingly correct answer on both server and client >> >- user can't actually use sudo on client? >> > >> >Centos 7, freeipa 4.2.o/2.156; sssd 1.14.1 from COPR >> > >> >>From the server: >> > >> >[root@vmdv-linuxidm1 ~]# ipa hbactest --user=lsimp...@petermac.org.au >> >--host=vmts-linuxclient1.unixdev.petermac.org.au --service=sudo >> >-------------------- >> >Access granted: True >> >-------------------- >> > Matched rules: Cluster Admin Users (sudo) >> > Not matched rules: Cluster Users >> >[root@vmdv-linuxidm1 ~]# >> > >> > >> >>From the host in question: >> > >> >[root@vmts-linuxclient1 ~]# ipa hbactest --user lsimp...@petermac.org.au >> >--host `hostname` --service sudo >> >-------------------- >> >Access granted: True >> >-------------------- >> > Matched rules: Cluster Admin Users (sudo) >> > Not matched rules: Cluster Users >> >[root@vmts-linuxclient1 ~]# >> > >> > >> >[lsimp...@petermac.org.au@vmts-linuxclient1 ~]$ sudo reboot >> >[sudo] password for lsimp...@petermac.org.au: >> >lsimp...@petermac.org.au is not allowed to run sudo on >> vmts-linuxclient1. >> >This incident will be reported. >> > >> Did you configure sudo rules for such user? >> What is an output of "sudo -l" >> >> LS >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project