[Freeipa-users] Authenticating sudo with ipa on Centos
Jakub Hrozek
jhrozek at redhat.com
Mon Oct 21 20:03:23 UTC 2013
On Mon, Oct 21, 2013 at 01:34:17PM -0400, Rob Crittenden wrote:
> Andrew Holway wrote:
> >>It is a bit strange that your ipa_domain and ipa_hostname are the same. I
> >>think the domain should be just local.
> >>
> >>I'd run klist -kt /etc/krb5.keytab to see what principals are in there.
> >
> >ipa_hostname = 192-168-0-110.local
> >ipa_server = _srv_, 192-168-0-100.local
> >
> >Hi,
> >
> >I'm a little confused. They are not the same and these values were
> >created by the "ipa-client-install" utility.
> >
> >I think there is some extra magic needed so that I get get sudo
> >working with ipa...The redhat docs are a little bit lacking for the
> >less advanced...
> >
> >https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html
>
> Sure, but first we need to make sssd talk to IPA at all, which it isn't.
>
> Like I said, it looks like your sssd configuration is wrong. You can
> always un-enroll and re-enroll the client in order to reset things.
>
> rob
Sorry I didn't notice the sssd keyword until now.
I think Rob is right, ipa_domain and ipa_hostname being the same seems
wrong. Was this config generated by ipa-client-install at all?
If you put debug_level=6 into the [domain] section of sssd.conf and
restart the sssd, you'd be able to inspect more verbose debugging in
/var/log/sssd/*.log
But first I'd try re-enrolling the client as Rob says. You should end up
with a valid sssd.conf
More information about the Freeipa-users
mailing list