[Freeipa-users] sudo utilizing sssd rhel6.6
sipazzo
sipazzo at yahoo.com
Fri Dec 5 14:43:25 UTC 2014
Thank you both. I was able to get this working by just adding the sudo_provider = ipa to sssd.conf. I removed all the ldap_uri and krb5_server lines to keep the file tidier. I had read service discovery works with sssd but was told by Redhat support it does not. I am happy to hear it does as it is much easier to maintain.
Thanks again.
--------------------------------------------_
On Wed, 12/3/14, Lukas Slebodnik <lslebodn at redhat.com> wrote:
Subject: Re: [Freeipa-users] sudo utilizing sssd rhel6.6
To: "sipazzo" <sipazzo at yahoo.com>
Cc: freeipa-users at redhat.com
Date: Wednesday, December 3, 2014, 7:38 AM
On (03/12/14 06:05),
sipazzo wrote:
>Good morning, I have a
fairly new ipa domain (server version 3.0.0-42 and clients
mixed 3.0.0-37 and 3.0.0-42) set up with a mix of rhel6,
rhel5 and solaris. It seemed like my sudo config using sssd
in rhel6.5 was working and then we patched to 6.6 and it is
broken. I had followed these setup instructions
previously:
>
>yum
install -y libsss_sudo
>
>Added to /etc/nsswitch.conf
>
>sudoers: sss files
>
>Add nisdomainname:
>
>nisdomainname
ipadomain.com
>echo
"NISDOMAIN=ipadomain.com" >>
/etc/sysconfig/network
>
>Added the following to /etc/sssd/sssd.conf
(is all this really necessary?)
>
>[domain/ipadomain.com]
>……….
>
>sudo_provider = ldap
>ldap_uri =
ldaps://ipasrv2-corp.ipadomain.com,
ldaps://ipasrv1-xo.ipadomain.com,
ldaps://ipasrv1-io.ipadomain.com,
ldaps://ipasrv1-corp.ipadomain.com,
ldaps://ipasrv2-xo.ipadomain.com,
ldaps://ipasrv2-io.ipadomain.com
>ldap_sudo_search_base =
ou=sudoers,dc=ipadomain,dc=com
>ldap_sasl_mech = GSSAPI
>ldap_sasl_authid =
host/ipaclient1.ipadomain.com
>ldap_sasl_realm = ipadomain.COM
>krb5_server =ipasrv2-corp.ipadomain.com,
ipasrv1-xo.ipadomain.com, ipasrv1-io.ipadomain.com,
ipasrv1-corp.ipadomain.com, ipasrv2-xo.ipadomain.com,
ipasrv2-io.ipadomain.com
>
>[sssd]
>services =
nss, pam, sudo, ssh
>
>[sudo]
>
>
>Restart sssd
service
>
>I know that
libsss_sudo is now included as part of another package and
read that you need sssd-common which I tried installing to
no avail as well. I had been told that despite the man pages
on sssd I needed to specify the servers in ldap_uri (and I
assume krb5_server) as it would not use SRV records but am
not sure that is correct.
>
>Questions:
>1) What are
the steps to get sudo working with sssd on an existing,
newly patched (to rhel6.6) system
Configuration from rhel 6.5 shoudl work also on
rhel 6.6
But rhel 6.6 can
work also with sudo_provider = ipa
In this
case sssd configuration is easier. You cna find details in
manual page
man sssd-sudo.
>2) Are
the steps any different for a new system (i.e. I read it is
"seamless" but I guess we still have to manually
edit files?)
On rhel6.6 ipa-client-install
should configure sudo unless you executed
ipa-client-install with --no-sudo
>3) Does sssd in Rhel6.6 support SRV lookup
for the ldap_uri and krb5_server and do we have to specify
the ldap_sasl_authid with the client hostname
Yes, it does.
man sssd.ldap
-> SERVICE DISCOVERY
If
you use sudo_provider=ipa then you will not need to
configure all ldap_*
krb5_* options on your
own.
LS
More information about the Freeipa-users
mailing list