[Freeipa-users] FreeIPA + Foreman 1.5
Stephen Benjamin
stbenjam at redhat.com
Fri Apr 25 11:23:37 UTC 2014
----- Original Message -----
> From: "Martin Kosek" <mkosek at redhat.com>
> To: "Stephen Benjamin" <stbenjam at redhat.com>, "Jan Cholasta" <jcholast at redhat.com>
> Cc: dpal at redhat.com, freeipa-users at redhat.com, "Tomas Babej" <tbabej at redhat.com>
> Sent: Friday, April 25, 2014 10:54:13 AM
> Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
>
> On 04/25/2014 10:16 AM, Stephen Benjamin wrote:
> > ----- Original Message -----
> >> From: "Jan Cholasta" <jcholast at redhat.com>
> >> To: "Martin Kosek" <mkosek at redhat.com>, dpal at redhat.com, "Stephen
> >> Benjamin" <stbenjam at redhat.com>
> >> Cc: freeipa-users at redhat.com
> >> Sent: Friday, April 25, 2014 9:44:37 AM
> >> Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
> >
> >> AFAIK you can use ldap sudo provider with IPA, see e.g.
> >> <http://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd#Configure_SSSD>
> >
> > I got this working, and seems to work across recent Fedora releases too.
> > This at least removes the requirement on using the old bind password
> > method. Thanks!
> >
> > Is there a way for sssd to use _srv_ for the krb5_server line?
> >
> > Here's an updated Kickstart snippet:
> > https://github.com/stbenjam/community-templates/blob/freeipa-fixes/snippets/freeipa_register.erb
> >
> > If we know what the Syntax will be for sudo (or will it be default
> > in 4.0?), then I can include the logic already not to do it manually.
> >
> >
> > - Stephen
> >
>
> Good! Few comments I saw when reading the snippet:
>
> For automount, you also want to use --server option and --unattended option
> (your version would freeze):
>
> # ipa-client-automount --server vm-086.example.com --unattended
> IPA server: vm-086.example.com
> Location: default
> Configured /etc/nsswitch.conf
> Configured /etc/sysconfig/nfs
> Configured /etc/idmapd.conf
> Started rpcidmapd
> Started rpcgssd
> Restarting sssd, waiting for it to become available.
> Started autofs
>
> This is example from RHEL-6.5.
>
> As for SUDO, did you test the setup? It seems to me you missed adding sss
> source to "sudoers" database in nsswitch.conf.
>
> You would also need to set NIS domain name, otherwise SUDO will not correctly
> recognize SUDO rules targeted on host groups, instead of hosts:
Ah right, the system I tested was already registered. Good catch, thanks.
> authconfig --nisdomain example.com --update
> nisdomainname example.com
>
> On Fedora or RHEL > 7.0, you would also need to enable systemd service to
> make
> the NIS domain name setup persistent:
>
> # service rhel-domainname.service start
> or
> # service fedora-domainname.service start
Wow.
Why was it done that way? It makes it difficult to write
cross-distro things...
How will we call that on EL clones?
> and
>
> # service rhel-domainname.service enable
> or
> # service fedora-domainname.service enable
>
> All these sudo client changes will come from free with FreeIPA 4.0.
>
> Martin
>
More information about the Freeipa-users
mailing list