[Freeipa-users] sudo utilizing sssd rhel6.6

Lukas Slebodnik lslebodn at redhat.com
Wed Dec 3 15:38:49 UTC 2014 

On (03/12/14 06:05), sipazzo wrote:
>Good morning, I have a fairly new ipa domain (server version 3.0.0-42 and clients mixed 3.0.0-37 and 3.0.0-42) set up with a mix of rhel6, rhel5 and solaris. It seemed like my sudo config using sssd in rhel6.5 was working and then we patched to 6.6 and it is broken. I had followed these setup instructions previously:
>
>yum install -y libsss_sudo
>
>Added to /etc/nsswitch.conf
>
>sudoers: sss files
>
>Add nisdomainname:
>
>nisdomainname ipadomain.com
>echo "NISDOMAIN=ipadomain.com" >> /etc/sysconfig/network
>
>Added the following to /etc/sssd/sssd.conf (is all this really necessary?)
>
>[domain/ipadomain.com]
>……….
>
>sudo_provider = ldap
>ldap_uri = ldaps://ipasrv2-corp.ipadomain.com, ldaps://ipasrv1-xo.ipadomain.com, ldaps://ipasrv1-io.ipadomain.com, ldaps://ipasrv1-corp.ipadomain.com, ldaps://ipasrv2-xo.ipadomain.com, ldaps://ipasrv2-io.ipadomain.com
>ldap_sudo_search_base = ou=sudoers,dc=ipadomain,dc=com
>ldap_sasl_mech = GSSAPI    
>ldap_sasl_authid = host/ipaclient1.ipadomain.com  
>ldap_sasl_realm = ipadomain.COM
>krb5_server =ipasrv2-corp.ipadomain.com, ipasrv1-xo.ipadomain.com, ipasrv1-io.ipadomain.com, ipasrv1-corp.ipadomain.com, ipasrv2-xo.ipadomain.com, ipasrv2-io.ipadomain.com
>
>[sssd]
>services =  nss, pam, sudo, ssh
>
>[sudo]
>
>
>Restart sssd service
>
>I know that libsss_sudo is now included as part of another package and read that you need sssd-common which I tried installing to no avail as well. I had been told that despite the man pages on sssd I needed to specify the servers in ldap_uri (and I assume krb5_server) as it would not use SRV records but am not sure that is correct. 
>
>Questions:
>1) What are the steps to get sudo working with sssd on an existing, newly patched (to rhel6.6) system
Configuration from rhel 6.5 shoudl work also on rhel 6.6

But rhel 6.6 can work also with sudo_provider = ipa
In this case sssd configuration is easier. You cna find details in manual page
man sssd-sudo.


>2) Are the steps any different for a new system (i.e. I read it is "seamless" but I guess we still have to manually edit files?)
On rhel6.6 ipa-client-install should configure sudo unless you executed
ipa-client-install with --no-sudo

>3) Does sssd in Rhel6.6 support SRV lookup for the ldap_uri and krb5_server and do we have to specify the ldap_sasl_authid with the client hostname
Yes, it does.
man sssd.ldap -> SERVICE DISCOVERY

If you use sudo_provider=ipa then you will not need to configure all ldap_*
krb5_* options on your own.

LS

More information about the Freeipa-users mailing list