Hi all, On a brand new install, sudo for hostgroup seems not to work. Ik create a sudo rule for admins, only to to "averything" on all servers within the hostgroup "ipaservers":
Rule name: s3_sudo_freeipa_admins
Enabled: TRUE
Command category: all
RunAs User category: all
RunAs Group category: all
User Groups: admins
Host Groups: ipaservers
However, user admins is not allowed to to so:
admin@freeipa1 ~]$ sudo -l
[sudo] password for admin:
Sorry, user admin may not run sudo on freeipa1.
Removing the group but adding the two FreeIPA-servers:
Rule name: s3_sudo_freeipa_admins
Enabled: TRUE
Command category: all
RunAs User category: all
RunAs Group category: all
User Groups: admins
Hosts: freeipa1.example.local, freeipa2.example.local
After cleaning the sssd-cache:
sudo -l
[sudo] password for admin:
Matching Defaults entries for admin on freeipa1:
!visiblepw, always_set_home, match_group_by_gid, env_reset,
env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User admin may run the following commands on freeipa1:
(ALL : ALL) ALL
There are not clients yet, this issues was reproduced on a brand new
CentOS 7.5 IPA installation with no modifications or else...
What's hapening here?
Winfried
signature.asc
Description: This is a digitally signed message part
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
