[Freeipa-devel] ipa-client-sudo
JR Aquino
JR.Aquino at citrix.com
Sat Feb 19 17:00:15 UTC 2011
On 2/19/11 7:33 AM, "Simo Sorce" <ssorce at redhat.com> wrote:
>On Fri, 18 Feb 2011 23:09:21 -0500
>Adam Young <ayoung at redhat.com> wrote:
>
>> Here's a rough hack. It follows the steps in the test script. I
>> tested it out and it works.
>
>Truly a hack :)
More specifically:
The script looks like it will functionally address RHEL6 + Fedora 14/15.
You'll want to be mindful of systems that need to use nss_ldap.conf due to
incompatibility with SSSD. (I believe in RHEL5 ipa-client-install actually
configures nss_ldap and not SSSD)
The script as it is, will stomp on the contents of the nss_ldap.conf file.
>
>Just one thing, do not change rc.local, it's wrong, if you really need
>to set the NIS domain (what for ?)
The domain must be set because the netgroup (and compat pieces of FreeIPA)
populate the nisDomain attribute in the nisNetgroupTriple.
Thus when sudo does a netgroup look up to verify that the current host is
part of a netgroup, it will fail the match because the nisdomain of the
client must match that of this nisNetgroupTriple.
> then you set it like this:
>NISDOMAIN=example.com
>in /etc/sysconfig.network
There is actually a bug filed against fedora about /etc/sysconfig.network
being broken.
https://bugzilla.redhat.com/show_bug.cgi?id=665465
(I will be opening another against RHEL through support this morning as
the fedora ticket has languished.)
It only works if the system is utilizing the NIS Client as a whole
(ypbind, portmap, yp.conf) ... Which is completely unnecessary.
nss_ldap/sssd provide lookups into ldap for the nisNetgroupTriple required
to enumerate net groups in Linux.
It only works if the system is utilizing the NIS Client as a whole
(ypbind, portmap, yp.conf) ... Which is completely unnecessary.
nss_ldap/sssd provide lookups into ldap for the nisNetgroupTriple required
to enumerate net groups in Linux.
>
>Simo.
More information about the Freeipa-devel
mailing list