What version of sssd are you using? We found that it wouldn't work w sssd<1.14
On the IPA server, it would say "yep rule applies", but then on any particular machine it wouldn't (well, it would - but only intermittently). There's a COPR repo for Centos7 if you aren't on Fedora/RedHat. Cheers L. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Tony Brian Albers Sent: Tuesday, 23 August 2016 4:24 PM To: [email protected] Subject: [Freeipa-users] can't get sudo to work. Hi guys, I've been trying to get sudo to work for our day-to-day admin who have their own usergroup in IPA called subadmin. For some reason I can't really get sudo to work, I suspect I am missing something simple, but I can't really figure out what it is. This is my config: # ipa sudorule-find ------------------- 1 Sudo Rule matched ------------------- Rule name: All Enabled: TRUE Host category: all Command category: all User Groups: subadmin ---------------------------- Number of entries returned 1 ---------------------------- # # ipa group-find subadmin --------------- 1 group matched --------------- Group name: subadmin Description: For daily administration of users and hosts GID: 10003 Member users: abr-sadm, pmd-sadm, tba-sadm, bja-sadm, alberto-ibm Roles: Sub-admins Member of Sudo rule: All ---------------------------- Number of entries returned 1 ---------------------------- # And on a client: # cat /etc/sssd/sssd.conf [domain/kac.lokalnet] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = kac.sblokalnet id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = kac-man-001.kac.lokalnet chpass_provider = ipa ipa_server = _srv_, kac-adm-001.kac.lokalnet ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default krb5_renewable_lifetime = 50d krb5_renew_interval = 3600 [sssd] services = nss, sudo, pam, autofs, ssh config_file_version = 2 domains = kac.lokalnet [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] nsswitch.conf: passwd: files sss shadow: files sss group: files sss #initgroups: files #hosts: db files nisplus nis dns hosts: files dns myhostname # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: sss files aliases: files nisplus sudoers: files sss And for a subadmin account: -sh-4.2$ sudo -l [sudo] password for tba-sadm: Your password will expire in 6 day(s). User tba-sadm is not allowed to run sudo on kac-man-001. -sh-4.2$ Any suggestions? Help is much appreciated. TIA /tony -- Best regards, Tony Albers Systems administrator, IT-development State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 8946 2316 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
