[Freeipa-users] Sudo issues with FreeIPA
Dimitar Georgievski
mitkany at gmail.com
Fri Dec 20 23:42:37 UTC 2013
Hi Dmitri,
One follow up question about the management of the SSSD local cache. I've
tried to clean cache entries with the sss_cache utility, but it looks like
this utility is not working. I was able to confirm with ldbsearch that
records for specific entries were not removed from the cache.
This seems to be a bug. I can use ldpdel with a restart of the SSSD daemon,
but just wanted to confirm with you. I suspect you would know more about
this problem. Unfortunately I wasn't able to find any info yet about this
potential bug.
thanks
Dimitar
On Tue, Dec 17, 2013 at 10:40 PM, Dimitar Georgievski <mitkany at gmail.com>wrote:
> Thanks Dmitri. Those settings for ldap in sssd.conf fixed the issue.
>
> Dimitar
>
>
> On Tue, Dec 17, 2013 at 6:47 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
>> On 12/17/2013 06:34 PM, Dimitar Georgievski wrote:
>>
>> Hi,
>>
>> I am running FreeIPA 3.3.3 on CentOS 6.5. Everything works fine except
>> that I have problem enforcing sudo policies on the hosts that are part of
>> the managed domain.
>>
>> When trying to run the following simple command as a user managed by
>> FreeIPA I got the following response:
>>
>>
>> *> sudo /usr/bin/vim test.txt *
>> *jsmith is not allowed to run sudo on myhost. This incident will be
>> reported.*
>>
>> I might have missed in the configuration of the serve or SSSD on the
>> client host.
>>
>> Is there any guideline for sudo integration with FreeIPA?
>>
>> The following is the SSSD configuration on the client host:
>>
>> [domain/example.net]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = example.net
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> sudo_provider = ldap
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> ipa_hostname = ipaserver.example.net
>> chpass_provider = ipa
>> ipa_server = _srv_
>> ipa_backup_server = replica.example.net
>>
>>
>> dns_discovery_domain = example.net
>>
>>
>>
>> [sssd]
>> services = nss, pam, ssh, sudo
>> config_file_version = 2
>>
>> domains = example.net
>> [nss]
>>
>> [pam]
>>
>> [sudo]
>> debug_level = 0x3ff0
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>>
>> Thanks,
>>
>> Dimitar
>>
>>
>> _______________________________________________
>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131220/5ecf436c/attachment.htm>
More information about the Freeipa-users
mailing list