[Freeipa-users] Authenticating sudo with ipa on Centos

[Andrew Holway]

Hi,

ipa_domain and ipa_hostname was indeed a config error. Also, using a
.local domain caused all manner of problems.

Thanks all for your help!

Andrew

On 21 October 2013 21:03, Jakub Hrozek <jhrozek at redhat.com> wrote:
> On Mon, Oct 21, 2013 at 01:34:17PM -0400, Rob Crittenden wrote:
>> Andrew Holway wrote:
>> >>It is a bit strange that your ipa_domain and ipa_hostname are the same. I
>> >>think the domain should be just local.
>> >>
>> >>I'd run klist -kt /etc/krb5.keytab to see what principals are in there.
>> >
>> >ipa_hostname = 192-168-0-110.local
>> >ipa_server = _srv_, 192-168-0-100.local
>> >
>> >Hi,
>> >
>> >I'm a little confused. They are not the same and these values were
>> >created by the "ipa-client-install" utility.
>> >
>> >I think there is some extra magic needed so that I get get sudo
>> >working with ipa...The redhat docs are a little bit lacking for the
>> >less advanced...
>> >
>> >https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html
>>
>> Sure, but first we need to make sssd talk to IPA at all, which it isn't.
>>
>> Like I said, it looks like your sssd configuration is wrong. You can
>> always un-enroll and re-enroll the client in order to reset things.
>>
>> rob
>
> Sorry I didn't notice the sssd keyword until now.
>
> I think Rob is right,  ipa_domain and ipa_hostname being the same seems
> wrong. Was this config generated by ipa-client-install at all?
>
> If you put debug_level=6 into the [domain] section of sssd.conf and
> restart the sssd, you'd be able to inspect more verbose debugging in
> /var/log/sssd/*.log
>
> But first I'd try re-enrolling the client as Rob says. You should end up
> with a valid sssd.conf
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users