On Thu, Nov 09, 2017 at 02:07:03AM +0000, Andrew Meyer via FreeIPA-users wrote: > Hello, I am trying to setup a few of my users to have the ability to su - > jira or another user using FreeIPA. > Here is what happens when I am logged in as the user and try to su - jira > [user1@jira02 ~]$ sudo su - process[sudo] password for user1:Sorry, user > user1 is not allowed to execute '/bin/su - jira' as root on > jira02.example.net.[user1@jira02 ~]$ > [andrew.meyer@jira02 ~]$ ipa sudorule-show su_jira Rule name: su_jira > Enabled: TRUE Host category: all RunAs User category: all RunAs Group > category: all User Groups: developers, ops_sudoers Sudo Allow Command > Groups: jira_access Sudo Option: !authenticate[andrew.meyer@jira02 ~]$ > > [andrew.meyer@jira02 ~]$ ipa sudocmd-find su_jira_cmds----------------------1 > Sudo Command matched---------------------- Sudo Command: /usr/bin/su - > jira,/usr/bin/sudo su - jira,/bin/su - jira,/bin/sudo - jira Description: > su_jira_cmds----------------------------Number of entries returned > 1---------------------------- > What am I doing wrong?
I would first run "sudo -l" to see if the user is able to run any sudo commands at all. Then I'd proceed to sudo debugging from https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html#obtaining-logs to see what data was transferred to sudo and how did sudo evaluate them. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
