[Freeipa-users] sudo utilizing sssd rhel6.6

Jakub Hrozek jhrozek at redhat.com
Wed Dec 3 15:06:15 UTC 2014 

On Wed, Dec 03, 2014 at 06:05:23AM -0800, sipazzo wrote:
> Good morning, I have a fairly new ipa domain (server version 3.0.0-42 and clients mixed 3.0.0-37 and 3.0.0-42) set up with a mix of rhel6, rhel5 and solaris. It seemed like my sudo config using sssd in rhel6.5 was working and then we patched to 6.6 and it is broken. I had followed these setup instructions previously:
> 
> yum install -y libsss_sudo
> 
> Added to /etc/nsswitch.conf
> 
> sudoers: sss files
> 
> Add nisdomainname:
> 
> nisdomainname ipadomain.com
> echo "NISDOMAIN=ipadomain.com" >> /etc/sysconfig/network
> 
> Added the following to /etc/sssd/sssd.conf (is all this really necessary?)
> 
> [domain/ipadomain.com]
> ……….
> 
> sudo_provider = ldap
> ldap_uri = ldaps://ipasrv2-corp.ipadomain.com, ldaps://ipasrv1-xo.ipadomain.com, ldaps://ipasrv1-io.ipadomain.com, ldaps://ipasrv1-corp.ipadomain.com, ldaps://ipasrv2-xo.ipadomain.com, ldaps://ipasrv2-io.ipadomain.com
> ldap_sudo_search_base = ou=sudoers,dc=ipadomain,dc=com
> ldap_sasl_mech = GSSAPI    
> ldap_sasl_authid = host/ipaclient1.ipadomain.com  
> ldap_sasl_realm = ipadomain.COM
> krb5_server =ipasrv2-corp.ipadomain.com, ipasrv1-xo.ipadomain.com, ipasrv1-io.ipadomain.com, ipasrv1-corp.ipadomain.com, ipasrv2-xo.ipadomain.com, ipasrv2-io.ipadomain.com
> 
> [sssd]
> services =  nss, pam, sudo, ssh
> 
> [sudo]
> 
> 
> Restart sssd service
> 
> I know that libsss_sudo is now included as part of another package and read that you need sssd-common which I tried installing to no avail as well. I had been told that despite the man pages on sssd I needed to specify the servers in ldap_uri (and I assume krb5_server) as it would not use SRV records but am not sure that is correct. 
> 
> Questions:
> 1) What are the steps to get sudo working with sssd on an existing, newly patched (to rhel6.6) system

Starting with 6.6 the procedure was simplified to:
 * add sudo_provider=ipa to sssd.conf's domain section
 * add sss to the sudoers line of nsswitch.conf

> 2) Are the steps any different for a new system (i.e. I read it is "seamless" but I guess we still have to manually edit files?)

I'm not 100% sure if the ipa-client-install patches made it to 6.6 or
not, but with very recent (7.1) ipa-client-install, everything should
just work and be set up by the installer

> 3) Does sssd in Rhel6.6 support SRV lookup for the ldap_uri and krb5_server and do we have to specify the ldap_sasl_authid with the client hostname

SRV records - yes
ldap_sasl_authid - you don't need that starting with 6.6

More information about the Freeipa-users mailing list