[Freeipa-users] freeipa and sudo

Dean Hunter deanhunter at comcast.net
Wed Sep 11 21:32:46 UTC 2013 

On Wed, 2013-09-11 at 11:21 +0200, Pavel Březina wrote:

> On 09/09/2013 07:32 PM, Dean Hunter wrote:
> >
> > On Mon, 2013-09-09 at 11:23 +0200, Pavel Březina wrote:
> >> On 09/08/2013 01:35 AM, Dmitri Pal wrote:
> >>> On 09/07/2013 02:11 PM, Christian Horn wrote:
> >>>> On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
> >>>>> Are [1] and[2] still the current and best sources of
> >>>>> information for configuring sudo for use with the current
> >>>>> release of FreeIPA on Fedora 19?
> >>>>>
> >>>>> 1.
> >>>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
> >>
> >>>>>
> >>> 2.
> >>>>> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
> >>
> >>>>>
> >> There is also the Identity_Management_Guide as part of the RHEL
> >>>> product documentation:
> >>>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
> >>
> >>>>
> > This and the pdf above are the latest word in this area.
> >>
> >> Hi, those documents describes configuration for SSSD 1.9. Although
> >> it is still valid, we have simplified configuration for IPA
> >> provider in 1.10.
> >>
> >> The most up to date document for your version of SSSD is always
> >> man sssd-sudo.
> >>
> >> _______________________________________________ Freeipa-users
> >> mailing list Freeipa-users at redhat.com
> >> <mailto:Freeipa-users at redhat.com>
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> > Thank you.  Please verify that I have correctly understood your note.
> >  Your slides from 12-20-2012 applied to SSSD 1.9 and included a
> > reference to the manual pages, which I now understand, as well as
> > this example configuration:
> >
> > sudo_provider = ldap ldap_uri = ldap://ipa.example.com
> > ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech =
> > GSSAPI ldap_sasl_authid = host/hostname.example.com ldap_sasl_realm =
> > EXAMPLE.COM krb5_server = ipa.example.com
> >
> > I have used this configuration with good results.  However, reading
> > "man sssd-sudo" from sssd-1.9.5-2.fc18.x86_64 I find this paragraph:
> >
> > When the SSSD is configured to use the IPA provider, the sudo
> > provider is automatically enabled. The sudo search base is configured
> > to use the compat tree (ou=sudoers,$DC).
> 
> I forgot that the configuration was simplified also in 1.9. You can just
> stick with contents of sssd-sudo. I.e. you only need to put sudo to
> "services" (there's an RFE to do it automatically by ipa-client-install)
> and "sudoers: files sss" to /etc/nsswitch.conf
> 
> > May I suggest that you change "IPA provider" to "IPA as the ID
> > provider"?  There are a number of providers identified in sssd.conf
> > and most of them are configured to use IPA.
> 
> This is a valid point, thanks.
> 
> >
> > Testing shows that the only change now required to sssd.conf is the
> > addition of sudo to the services list in the sssd section [sssd]:
> >
> > services = autofs, nss, pam, ssh, sudo
> >
> > Add to this the one line change in nsswitch.conf
> >
> > sudoers:    files sss
> >
> > and I am done.
> 
> Correct.
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


Nope, there is still one step remaining.  nisdomainname must be
configured:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130911/92145946/attachment.htm>

More information about the Freeipa-users mailing list