IdM sudo rule not allowed: user is not allowed to execute 'command'

Solution Verified - Updated -

Issue

  • SUDO rule created on IdM server does not grant user to run allowed commands

  • Below SUDO rule is created on IdM to allow user bob to run su - jane:

    # ipa sudorule-show sudorule-su-jane
  Rule name: sudorule-su-jane
  Enabled: True
  Users: bob
  Hosts: host.example.com
  Sudo Allow Commands: su - jane

  • SUDO returns a list of allowed command:

    $ sudo -l

User bob may run the following commands on host:
    (root) su - jane

  • When user bob runs the command, below error is returned:

    $ sudo su - jane
Sorry, user bob is not allowed to execute '/bin/su - jane' as root on host.example.com.

  • A corresponding log message is recorded in /var/log/secure.

    sudo[88693]: pam_sss(sudo:auth): authentication success; <...> euid=0 tty=/dev/pts/0 ruser=bob rhost= user=bob
sudo[88697]:     bob : command not allowed ; TTY=pts/0 ; PWD=/home/bob ; USER=root ; COMMAND=/bin/su - jane

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • Red Hat Identity Management (IdM) / FreeIPA
  • SUDO

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content