[Freeipa-users] freeipa and sudo
Pavel Březina
pbrezina at redhat.com
Mon Sep 9 09:29:23 UTC 2013
On 09/08/2013 11:11 PM, Jakub Hrozek wrote:
> On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote:
>> On Sat, 2013-09-07 at 19:35 -0400, Dmitri Pal wrote:
>>
>>> On 09/07/2013 02:11 PM, Christian Horn wrote:
>>>> On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
>>>>> Are [1] and[2] still the current and best sources of information for
>>>>> configuring sudo for use with the current release of FreeIPA on Fedora
>>>>> 19?
>>>>>
>>>>> 1.
>>>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
>>>>> 2.
>>>>> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>>>> There is also the Identity_Management_Guide as part of the RHEL
>>>> product documentation:
>>>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
>>> This and the pdf above are the latest word in this area.
>>>
>>>> Christian
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>
>> Some sudo rules are causing:
>>
>> [dean at desktop2 ~]$ sudo id
>> sudo: internal error, tried to erealloc3(0)
>
> This is a known bug:
> https://bugzilla.redhat.com/show_bug.cgi?id=1000389
>
> I think the sudo rules are just missing the sudoHost attribute.
>
>>
>> , but others do not. In the trial and error process of determining
>> which rule specifications are causing the error, I have been restarting
>> the virtual machine I am using as the sudo client between tests. Is
>> there a better way to clear the SSSD cache between trials to make sure I
>> am testing the most recent rule change?
>
> Unfortunately right now the only way is to rm the sssd cache which would
> also remove any cached credentials.
You don't necessarily have to remove the cache. If you just restart SSSD
the rules will be refreshed in approximately 15 seconds.
I thought there was an RFE open to
> track the enhancement to make sss_cache invalidate and refresh sudo
> rules, but I can't find it now in the SSSD trac, so I filed another one:
> https://fedorahosted.org/sssd/ticket/2081
>
> Worst case, we mark it as a duplicate.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list