[Freeipa-users] sudo utilizing sssd rhel6.6

Fri Dec 5 14:43:25 UTC 2014

Thank you both. I was able to get this working by just adding the sudo_provider = ipa to sssd.conf. I removed all the ldap_uri and krb5_server lines to keep the file tidier. I had read service discovery works with sssd but was told by Redhat support it does not. I am happy to hear it does as it is much easier to maintain.

Thanks again. 
--------------------------------------------_
On Wed, 12/3/14, Lukas Slebodnik <lslebodn at redhat.com> wrote:

 Subject: Re: [Freeipa-users] sudo utilizing sssd rhel6.6
 To: "sipazzo" <sipazzo at yahoo.com>
 Cc: freeipa-users at redhat.com
 Date: Wednesday, December 3, 2014, 7:38 AM

 On (03/12/14 06:05),
 sipazzo wrote:
 >Good morning, I have a
 fairly new ipa domain (server version 3.0.0-42 and clients
 mixed 3.0.0-37 and 3.0.0-42) set up with a mix of rhel6,
 rhel5 and solaris. It seemed like my sudo config using sssd
 in rhel6.5 was working and then we patched to 6.6 and it is
 broken. I had followed these setup instructions
 previously:
 >
 >yum
 install -y libsss_sudo
 >
 >Added to /etc/nsswitch.conf
 >
 >sudoers: sss files
 >
 >Add nisdomainname:
 >
 >nisdomainname
 ipadomain.com
 >echo
 "NISDOMAIN=ipadomain.com" >>
 /etc/sysconfig/network
 >
 >Added the following to /etc/sssd/sssd.conf
 (is all this really necessary?)
 >
 >[domain/ipadomain.com]
 >……….
 >
 >sudo_provider = ldap
 >ldap_uri =
 ldaps://ipasrv2-corp.ipadomain.com,
 ldaps://ipasrv1-xo.ipadomain.com,
 ldaps://ipasrv1-io.ipadomain.com,
 ldaps://ipasrv1-corp.ipadomain.com,
 ldaps://ipasrv2-xo.ipadomain.com,
 ldaps://ipasrv2-io.ipadomain.com
 >ldap_sudo_search_base =
 ou=sudoers,dc=ipadomain,dc=com
 >ldap_sasl_mech = GSSAPI    
 >ldap_sasl_authid =
 host/ipaclient1.ipadomain.com  
 >ldap_sasl_realm = ipadomain.COM
 >krb5_server =ipasrv2-corp.ipadomain.com,
 ipasrv1-xo.ipadomain.com, ipasrv1-io.ipadomain.com,
 ipasrv1-corp.ipadomain.com, ipasrv2-xo.ipadomain.com,
 ipasrv2-io.ipadomain.com
 >
 >[sssd]
 >services = 
 nss, pam, sudo, ssh
 >
 >[sudo]
 >
 >
 >Restart sssd
 service
 >
 >I know that
 libsss_sudo is now included as part of another package and
 read that you need sssd-common which I tried installing to
 no avail as well. I had been told that despite the man pages
 on sssd I needed to specify the servers in ldap_uri (and I
 assume krb5_server) as it would not use SRV records but am
 not sure that is correct. 
 >
 >Questions:
 >1) What are
 the steps to get sudo working with sssd on an existing,
 newly patched (to rhel6.6) system
 Configuration from rhel 6.5 shoudl work also on
 rhel 6.6

 But rhel 6.6 can
 work also with sudo_provider = ipa
 In this
 case sssd configuration is easier. You cna find details in
 manual page
 man sssd-sudo.

 >2) Are
 the steps any different for a new system (i.e. I read it is
 "seamless" but I guess we still have to manually
 edit files?)
 On rhel6.6 ipa-client-install
 should configure sudo unless you executed
 ipa-client-install with --no-sudo

 >3) Does sssd in Rhel6.6 support SRV lookup
 for the ldap_uri and krb5_server and do we have to specify
 the ldap_sasl_authid with the client hostname
 Yes, it does.
 man sssd.ldap
 -> SERVICE DISCOVERY

 If
 you use sudo_provider=ipa then you will not need to
 configure all ldap_*
 krb5_* options on your
 own.

 LS