[Freeipa-users] authentication against compat

Steve Dainard sdainard at miovision.com
Thu Feb 13 23:04:44 UTC 2014 

I don't think this is an issue of bugs or documentation, more of design.
Perhaps there's someplace other than a users list this belongs in but:

If IPA is a centrally managed identity and access control system, should
these configurations not be passed to clients, rather than every client
needing configuration changes post join? Obviously I can automate config
changes, but why would I want to? I don't think sudoers priv is a fringe
case, its pretty much THE case for access/admin control. I cringe to
compare to a Windows domain, but I don't have to manually tell a domain
client that it should respect the rules I set on a domain controller, I
joined it to the domain for this reason.

Maybe you're working towards this, but in the meantime it would be great if
the options existed in the config files so we immediately know what options
are available and can comment/uncomment them rather than searching around
man pages for options that might exist.

I believe you were looking for a documentation bug:

# man sssd-sudo
       To enable SSSD as a source for sudo rules, *add sss to the sudoers
entry* in nsswitch.conf(5).

       For example, to configure sudo to first lookup rules in the standard
sudoers(5) file (which
       should contain rules that apply to local users) and then in SSSD,
the nsswitch.conf file
       should contain the following line:

          * sudoers: files sss*

# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files sss
shadow:     files sss
group:      files sss
#initgroups: files

#hosts:     db files nisplus nis dns
hosts:      files mdns4_minimal [NOTFOUND=return] dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:    files nisplus



Entry does not exist.




*Steve Dainard *
IT Infrastructure Manager
Miovision <http://miovision.com/> | *Rethink Traffic*

*Blog <http://miovision.com/blog>  |  **LinkedIn
<https://www.linkedin.com/company/miovision-technologies>  |  Twitter
<https://twitter.com/miovision>  |  Facebook
<https://www.facebook.com/miovision>*
------------------------------
 Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.


On Thu, Feb 13, 2014 at 5:15 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:

> On Thu, Feb 13, 2014 at 03:05:07PM -0500, Steve Dainard wrote:
> > Is this server or client side where sudo_provider=ipa is included in ver
> >
> > 1.11.x?
>
> Client side (sssd)
>
> >
> > My fedora 20 client doesn't have this option listed, or is it baked in?
> >
>
> Where exactly do you see the documentation lacking, perhaps the sssd-ipa
> man page, or the sssd-sudo man page? I agree that docs are important,
> but my view might be skewed because I know the internals..
>
> All that should be required with 1.9.6 or 1.11.x is:
>     sudo_provider=ipa
>
> And enabling the 'sss' module in /etc/nsswitch.conf:
>     sudoers: files sss
>
> That's it. Please let us know if you find any bugs in code or docs.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140213/c7b2b8b6/attachment.htm>

More information about the Freeipa-users mailing list