[Freeipa-users] sudo utilizing sssd rhel6.6
Jakub Hrozek
jhrozek at redhat.com
Wed Dec 3 15:06:15 UTC 2014
On Wed, Dec 03, 2014 at 06:05:23AM -0800, sipazzo wrote:
> Good morning, I have a fairly new ipa domain (server version 3.0.0-42 and clients mixed 3.0.0-37 and 3.0.0-42) set up with a mix of rhel6, rhel5 and solaris. It seemed like my sudo config using sssd in rhel6.5 was working and then we patched to 6.6 and it is broken. I had followed these setup instructions previously:
>
> yum install -y libsss_sudo
>
> Added to /etc/nsswitch.conf
>
> sudoers: sss files
>
> Add nisdomainname:
>
> nisdomainname ipadomain.com
> echo "NISDOMAIN=ipadomain.com" >> /etc/sysconfig/network
>
> Added the following to /etc/sssd/sssd.conf (is all this really necessary?)
>
> [domain/ipadomain.com]
> ……….
>
> sudo_provider = ldap
> ldap_uri = ldaps://ipasrv2-corp.ipadomain.com, ldaps://ipasrv1-xo.ipadomain.com, ldaps://ipasrv1-io.ipadomain.com, ldaps://ipasrv1-corp.ipadomain.com, ldaps://ipasrv2-xo.ipadomain.com, ldaps://ipasrv2-io.ipadomain.com
> ldap_sudo_search_base = ou=sudoers,dc=ipadomain,dc=com
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/ipaclient1.ipadomain.com
> ldap_sasl_realm = ipadomain.COM
> krb5_server =ipasrv2-corp.ipadomain.com, ipasrv1-xo.ipadomain.com, ipasrv1-io.ipadomain.com, ipasrv1-corp.ipadomain.com, ipasrv2-xo.ipadomain.com, ipasrv2-io.ipadomain.com
>
> [sssd]
> services = nss, pam, sudo, ssh
>
> [sudo]
>
>
> Restart sssd service
>
> I know that libsss_sudo is now included as part of another package and read that you need sssd-common which I tried installing to no avail as well. I had been told that despite the man pages on sssd I needed to specify the servers in ldap_uri (and I assume krb5_server) as it would not use SRV records but am not sure that is correct.
>
> Questions:
> 1) What are the steps to get sudo working with sssd on an existing, newly patched (to rhel6.6) system
Starting with 6.6 the procedure was simplified to:
* add sudo_provider=ipa to sssd.conf's domain section
* add sss to the sudoers line of nsswitch.conf
> 2) Are the steps any different for a new system (i.e. I read it is "seamless" but I guess we still have to manually edit files?)
I'm not 100% sure if the ipa-client-install patches made it to 6.6 or
not, but with very recent (7.1) ipa-client-install, everything should
just work and be set up by the installer
> 3) Does sssd in Rhel6.6 support SRV lookup for the ldap_uri and krb5_server and do we have to specify the ldap_sasl_authid with the client hostname
SRV records - yes
ldap_sasl_authid - you don't need that starting with 6.6
More information about the Freeipa-users
mailing list