<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8"> <META NAME="GENERATOR" CONTENT="GtkHTML/4.6.6"> </HEAD> <BODY> On Wed, 2013-09-11 at 11:21 +0200, Pavel Březina wrote: <BLOCKQUOTE TYPE=CITE> <PRE> On 09/09/2013 07:32 PM, Dean Hunter wrote: > > On Mon, 2013-09-09 at 11:23 +0200, Pavel Březina wrote: >> On 09/08/2013 01:35 AM, Dmitri Pal wrote: >>> On 09/07/2013 02:11 PM, Christian Horn wrote: >>>> On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote: >>>>> Are [1] and[2] still the current and best sources of >>>>> information for configuring sudo for use with the current >>>>> release of FreeIPA on Fedora 19? >>>>> >>>>> 1. >>>>> <A HREF="http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html">http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html</A> >> >>>>> >>> 2. >>>>> <A HREF="http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf">http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf</A> >> >>>>> >> There is also the Identity_Management_Guide as part of the RHEL >>>> product documentation: >>>> <A HREF="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html</A> >> >>>> > This and the pdf above are the latest word in this area. >> >> Hi, those documents describes configuration for SSSD 1.9. Although >> it is still valid, we have simplified configuration for IPA >> provider in 1.10. >> >> The most up to date document for your version of SSSD is always >> man sssd-sudo. >> >> _______________________________________________ Freeipa-users >> mailing list <A HREF="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</A> >> <<A HREF="mailto:Freeipa-users@redhat.com">mailto:Freeipa-users@redhat.com</A>> >> <A HREF="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</A> > > Thank you. Please verify that I have correctly understood your note. > Your slides from 12-20-2012 applied to SSSD 1.9 and included a > reference to the manual pages, which I now understand, as well as > this example configuration: > > sudo_provider = ldap ldap_uri = ldap://ipa.example.com > ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech = > GSSAPI ldap_sasl_authid = host/hostname.example.com ldap_sasl_realm = > EXAMPLE.COM krb5_server = ipa.example.com > > I have used this configuration with good results. However, reading > "man sssd-sudo" from sssd-1.9.5-2.fc18.x86_64 I find this paragraph: > > When the SSSD is configured to use the IPA provider, the sudo > provider is automatically enabled. The sudo search base is configured > to use the compat tree (ou=sudoers,$DC). I forgot that the configuration was simplified also in 1.9. You can just stick with contents of sssd-sudo. I.e. you only need to put sudo to "services" (there's an RFE to do it automatically by ipa-client-install) and "sudoers: files sss" to /etc/nsswitch.conf > May I suggest that you change "IPA provider" to "IPA as the ID > provider"? There are a number of providers identified in sssd.conf > and most of them are configured to use IPA. This is a valid point, thanks. > > Testing shows that the only change now required to sssd.conf is the > addition of sudo to the services list in the sssd section [sssd]: > > services = autofs, nss, pam, ssh, sudo > > Add to this the one line change in nsswitch.conf > > sudoers: files sss > > and I am done. Correct. _______________________________________________ Freeipa-users mailing list <A HREF="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</A> <A HREF="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</A> </PRE> </BLOCKQUOTE> Nope, there is still one step remaining. nisdomainname must be configured: </BODY> </HTML>