[Freeipa-users] sudo utilizing sssd rhel6.6
sipazzo
sipazzo at yahoo.com
Wed Dec 3 14:05:23 UTC 2014
Good morning, I have a fairly new ipa domain (server version 3.0.0-42 and clients mixed 3.0.0-37 and 3.0.0-42) set up with a mix of rhel6, rhel5 and solaris. It seemed like my sudo config using sssd in rhel6.5 was working and then we patched to 6.6 and it is broken. I had followed these setup instructions previously:
yum install -y libsss_sudo
Added to /etc/nsswitch.conf
sudoers: sss files
Add nisdomainname:
nisdomainname ipadomain.com
echo "NISDOMAIN=ipadomain.com" >> /etc/sysconfig/network
Added the following to /etc/sssd/sssd.conf (is all this really necessary?)
[domain/ipadomain.com]
……….
sudo_provider = ldap
ldap_uri = ldaps://ipasrv2-corp.ipadomain.com, ldaps://ipasrv1-xo.ipadomain.com, ldaps://ipasrv1-io.ipadomain.com, ldaps://ipasrv1-corp.ipadomain.com, ldaps://ipasrv2-xo.ipadomain.com, ldaps://ipasrv2-io.ipadomain.com
ldap_sudo_search_base = ou=sudoers,dc=ipadomain,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/ipaclient1.ipadomain.com
ldap_sasl_realm = ipadomain.COM
krb5_server =ipasrv2-corp.ipadomain.com, ipasrv1-xo.ipadomain.com, ipasrv1-io.ipadomain.com, ipasrv1-corp.ipadomain.com, ipasrv2-xo.ipadomain.com, ipasrv2-io.ipadomain.com
[sssd]
services = nss, pam, sudo, ssh
[sudo]
Restart sssd service
I know that libsss_sudo is now included as part of another package and read that you need sssd-common which I tried installing to no avail as well. I had been told that despite the man pages on sssd I needed to specify the servers in ldap_uri (and I assume krb5_server) as it would not use SRV records but am not sure that is correct.
Questions:
1) What are the steps to get sudo working with sssd on an existing, newly patched (to rhel6.6) system
2) Are the steps any different for a new system (i.e. I read it is "seamless" but I guess we still have to manually edit files?)
3) Does sssd in Rhel6.6 support SRV lookup for the ldap_uri and krb5_server and do we have to specify the ldap_sasl_authid with the client hostname
Thank you for any assistance.
More information about the Freeipa-users
mailing list