<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 02/13/2014 06:04 PM, Steve Dainard wrote:
<blockquote
cite="mid:CAHnsdUvqCxQFuSNhBcx05CyeiPEA3cAGXctNn4HTP-=7SzYLZA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>I don't think this is an issue of bugs or documentation,
more of design. Perhaps there's someplace other than a users
list this belongs in but:</div>
<div><br>
</div>
<div>If IPA is a centrally managed identity and access control
system, should these configurations not be passed to clients,
rather than every client needing configuration changes post
join? Obviously I can automate config changes, but why would I
want to? I don't think sudoers priv is a fringe case, its
pretty much THE case for access/admin control. I cringe to
compare to a Windows domain, but I don't have to manually tell
a domain client that it should respect the rules I set on a
domain controller, I joined it to the domain for this reason.</div>
<div><br>
</div>
<div>Maybe you're working towards this, but in the meantime it
would be great if the options existed in the config files so
we immediately know what options are available and can
comment/uncomment them rather than searching around man pages
for options that might exist.</div>
<div><br>
</div>
<div>I believe you were looking for a documentation bug:</div>
<div><br>
</div>
<div># man sssd-sudo<br>
</div>
<div> To enable SSSD as a source for sudo rules, <b>add
sss to the sudoers entry</b> in nsswitch.conf(5).</div>
<div><br>
</div>
<div> For example, to configure sudo to first lookup rules
in the standard sudoers(5) file (which</div>
<div> should contain rules that apply to local users) and
then in SSSD, the nsswitch.conf file</div>
<div> should contain the following line:</div>
<div><br>
</div>
<div> <b> sudoers: files sss</b></div>
<div><br>
</div>
<div>
<div># /etc/nsswitch.conf</div>
<div>#</div>
<div># An example Name Service Switch config file. This file
should be</div>
<div># sorted with the most-used services at the beginning.</div>
<div>#</div>
<div># The entry '[NOTFOUND=return]' means that the search for
an</div>
<div># entry should stop if the search in the previous entry
turned</div>
<div># up nothing. Note that if the search failed due to some
other reason</div>
<div># (like no NIS server responding) then the search
continues with the</div>
<div># next entry.</div>
<div>#</div>
<div># Valid entries include:</div>
<div>#</div>
<div>#<span class="" style="white-space:pre"> </span>nisplus<span
class="" style="white-space:pre"> </span>Use NIS+ (NIS
version 3)</div>
<div>#<span class="" style="white-space:pre"> </span>nis<span
class="" style="white-space:pre"> </span>Use NIS (NIS
version 2), also called YP</div>
<div>#<span class="" style="white-space:pre"> </span>dns<span
class="" style="white-space:pre"> </span>Use DNS (Domain
Name Service)</div>
<div>#<span class="" style="white-space:pre"> </span>files<span
class="" style="white-space:pre"> </span>Use the local
files</div>
<div>#<span class="" style="white-space:pre"> </span>db<span
class="" style="white-space:pre"> </span>Use the local
database (.db) files</div>
<div>#<span class="" style="white-space:pre"> </span>compat<span
class="" style="white-space:pre"> </span>Use NIS on
compat mode</div>
<div>#<span class="" style="white-space:pre"> </span>hesiod<span
class="" style="white-space:pre"> </span>Use Hesiod for
user lookups</div>
<div>#<span class="" style="white-space:pre"> </span>[NOTFOUND=return]<span
class="" style="white-space:pre"> </span>Stop searching
if not found so far</div>
<div>#</div>
<div><br>
</div>
<div># To use db, put the "db" in front of "files" for entries
you want to be</div>
<div># looked up first in the databases</div>
<div>#</div>
<div># Example:</div>
<div>#passwd: db files nisplus nis</div>
<div>#shadow: db files nisplus nis</div>
<div>#group: db files nisplus nis</div>
<div><br>
</div>
<div>passwd: files sss</div>
<div>shadow: files sss</div>
<div>group: files sss</div>
<div>#initgroups: files</div>
<div><br>
</div>
<div>#hosts: db files nisplus nis dns</div>
<div>hosts: files mdns4_minimal [NOTFOUND=return] dns</div>
<div><br>
</div>
<div># Example - obey only what nisplus tells us...</div>
<div>#services: nisplus [NOTFOUND=return] files</div>
<div>#networks: nisplus [NOTFOUND=return] files</div>
<div>#protocols: nisplus [NOTFOUND=return] files</div>
<div>#rpc: nisplus [NOTFOUND=return] files</div>
<div>#ethers: nisplus [NOTFOUND=return] files</div>
<div>
#netmasks: nisplus [NOTFOUND=return] files</div>
<div><br>
</div>
<div>bootparams: nisplus [NOTFOUND=return] files</div>
<div><br>
</div>
<div>ethers: files</div>
<div>netmasks: files</div>
<div>networks: files</div>
<div>
protocols: files</div>
<div>rpc: files</div>
<div>services: files sss</div>
<div><br>
</div>
<div>netgroup: files sss</div>
<div><br>
</div>
<div>publickey: nisplus</div>
<div><br>
</div>
<div>automount: files sss</div>
<div>aliases: files nisplus</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Entry does not exist.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div dir="ltr">
<span style="font-family:arial,sans-serif;font-size:16px"><strong>Steve Dainard </strong></span><span
style="font-size:12px"></span><br>
<span style="font-family:arial,sans-serif;font-size:12px">IT
Infrastructure Manager<br>
<a moz-do-not-send="true" href="http://miovision.com/"
target="_blank">Miovision</a> | <em>Rethink Traffic</em><br>
<br>
<strong
style="font-family:arial,sans-serif;font-size:13px;color:#999999"><a
moz-do-not-send="true"
href="http://miovision.com/blog" target="_blank">Blog</a>
| </strong><font
style="font-family:arial,sans-serif;font-size:13px"
color="#999999"><strong><a moz-do-not-send="true"
href="https://www.linkedin.com/company/miovision-technologies"
target="_blank">LinkedIn</a> | <a
moz-do-not-send="true"
href="https://twitter.com/miovision" target="_blank">Twitter</a> |
<a moz-do-not-send="true"
href="https://www.facebook.com/miovision"
target="_blank">Facebook</a></strong></font> </span>
<hr
style="font-family:arial,sans-serif;font-size:13px;color:#333333;clear:both">
<div
style="color:#999999;font-family:arial,sans-serif;font-size:13px;padding-top:5px">
<span style="font-family:arial,sans-serif;font-size:12px">Miovision
Technologies Inc. | 148 Manitou Drive, Suite 101,
Kitchener, ON, Canada | N2C 1L3</span><br>
<span style="font-family:arial,sans-serif;font-size:12px">This
e-mail may contain information that is privileged or
confidential. If you are not the intended recipient,
please delete the e-mail and any attachments and notify
us immediately.</span></div>
</div>
</div>
<br>
<br>
<div class="gmail_quote">On Thu, Feb 13, 2014 at 5:15 PM, Jakub
Hrozek <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="">On Thu, Feb 13, 2014 at 03:05:07PM -0500,
Steve Dainard wrote:<br>
> Is this server or client side where sudo_provider=ipa
is included in ver ><br>
> 1.11.x?<br>
<br>
</div>
Client side (sssd)<br>
<div class=""><br>
><br>
> My fedora 20 client doesn't have this option listed,
or is it baked in?<br>
><br>
<br>
</div>
Where exactly do you see the documentation lacking, perhaps
the sssd-ipa<br>
man page, or the sssd-sudo man page? I agree that docs are
important,<br>
but my view might be skewed because I know the internals..<br>
<br>
All that should be required with 1.9.6 or 1.11.x is:<br>
sudo_provider=ipa<br>
<br>
And enabling the 'sss' module in /etc/nsswitch.conf:<br>
sudoers: files sss<br>
<br>
That's it. Please let us know if you find any bugs in code
or docs.<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
Managing configuration files is outside of scope of IPA or SSSD. We
looked at this at the beginning of the IPA project a got a push back
from administrators who are used to control their Linux infra via
Puppet, Checf and similar means. We are also working on the OpenLMI
provider for SSSD this would allow to introspect and potentially
configure SSSD from the central console, may be even from IPA. But
this is future.<br>
For now the expectation is that some configuration needs to be done
manually or via some scripting. This is how things have always been.<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>