<html> <head> <style></style></head> <body class='hmmessage'><div dir='ltr'>I have existing machines running CentOS 6.3 which I want to include in a freeipa domain.<div><br><div>The domain controller machine is running Fedora 21 and freeipa-server-4.1.1-2 while the latest version of ipa I can find that runs on CentOS 6.3 is ipa-client-3.0.0-37.el6.x86_64.</div><div><br></div><div>I have successfully run ipa-client-install on the CentOS 6.3 client and set up users who can ssh to the client using ssh-keys.</div></div><div><br></div><div>The problem is that I can't get sudo rules to work. I know that the ipa client software version 3.0.0 doesn't automatically set up all the configuration for sssd to control sudo access, but I have set up all the configuration necessary manually:<br><br></div><div>On the client, /etc/nsswitch.conf has </div><div><br></div><div> sudoers files sss </div><div><br></div><div>/etc/sssd/sssd/conf has</div><div><br></div><div><div>[domain/default]</div><div><br></div><div>cache_credentials = True</div><div>krb5_realm = <REALM></div><div>krb5_server = <ipa server>:88</div><div>id_provider = ldap</div><div>auth_provider = ldap</div><div>chpass_provider = ldap</div><div>ldap_tls_cacertdir = /etc/openldap/cacerts</div><div>[domain/<domain>]</div><div><br></div><div>cache_credentials = True</div><div>krb5_store_password_if_offline = True</div><div>ipa_domain = <domain></div><div>id_provider = ipa</div><div>auth_provider = ipa</div><div>access_provider = ipa</div><div>chpass_provider = ipa</div><div>ipa_dyndns_update = True</div><div>ipa_server = <ipa server></div><div>ldap_tls_cacert = /etc/ipa/ca.crt</div><div>sudo_provider = ldap</div><div>ldap_uri = ldap://<ipa server></div><div>ldap_sudo_search_base = ou=sudoers,<domain base dn></div><div>ldap_sasl_mech = GSSAPI</div><div>ldap_sasl_authid = host/<client fqdn></div><div>ldap_sasl_realm = <REALM></div><div>krb5_server = <ipa server></div><div>debug_level = 9</div><div>[sssd]</div><div>services = nss, pam, ssh, sudo</div><div>config_file_version = 2</div><div><br></div><div>domains = <domain>, default</div><div>debug_level = 9</div></div><div><div>[nss]</div><div>debug_level = 9</div><div><br></div><div>[pam]</div><div>debug_level = 9</div><div><br></div><div>[sudo]</div><div>debug_level = 9</div><div>[autofs]</div></div><div><br></div><div>I have validated the ldap sasl configuration using ldapsearch, so I'm sure they are correct.</div><div><br></div><div>The nisdomainname command returns the domain name.</div><div><br></div><div>The sudo rules are:</div><div><div># ipa sudorule-find</div><div>--------------------</div><div>2 Sudo Rules matched</div><div>--------------------</div><div> Rule name: sudo-host1</div><div> Enabled: TRUE</div><div> Command category: all</div><div> RunAs User category: all</div><div> User Groups: host1-rw</div><div> Host Groups: host1</div><div> Sudo Option: -authenticate</div><div><br></div><div> Rule name: sudo-host2</div><div> Enabled: TRUE</div><div> User Groups: host2-rw</div><div> Host Groups: host2</div><div> Sudo Option: -authenticate</div><div>----------------------------</div><div>Number of entries returned 2</div><div>----------------------------</div></div><div><br></div><div>When a user in user group host1-rw sshs to a client in host group host1 and runs "sudo su -" the user gets prompted for a password even though the sudo option -authenticate is set.</div><div>I'm not convinced that sudo is even attempting to use sssd, but I'm not sure how to confirm this.</div><div><br></div><div>I have seen some references to /etc/sudo-ldap.conf in online discussions of similar issues. This file exists on my client, but everything is commented out. Do I need to put the ldap client configuration in /etc/sudo-ldap.conf as well as /etc/sssd/sssd.conf for CentOS 6.3 clients?</div><div><br></div><div>Any ideas about how to work out what is failing?</div><div><br></div><div>Chris</div><div><br></div><div><br></div> </div></body> </html>