[Freeipa-users] sudo log errors

Jakub Hrozek jhrozek at redhat.com
Fri Jan 17 18:42:09 UTC 2014 

On Wed, Jan 15, 2014 at 11:45:58AM +0100, Natxo Asenjo wrote:
> On Wed, Jan 15, 2014 at 10:59 AM, Jakub Hrozek <jhrozek at redhat.com> wrote:
> > On Wed, Jan 15, 2014 at 10:09:20AM +0100, Natxo Asenjo wrote:
> >> > On what platform are you ? With sudo-sssd integration you shouldn't use
> >> > directly ldap anymore.
> >>
> >> centos 6.5 on these hosts. So if I use sssd insted of ldap for sudo
> >> this could go away?
> >
> > I believe so, with the sssd integration, the sudo fetches all data from
> > the SSSD. One catch though, there is no "sudo_provider=ipa" in 6.5, but
> > man sssd-sudo should contain an example of setting up
> > "sudo_provider=ldap" on an IPA client.
> 
> ok. If I configure sssd.conf like that, do I need to configure
> anything in /etc/sudo-ldap.conf or are those mutually exclusive?

Sorry for the late reply.

Not mutually exclusive, but they do the same thing :-) It's the same as
having both sssd and nss_ldap configured for passwd lookups.

In order for the sudo binary to be able to talk to sssd you need to install
libsss_sudo. (This is only applicable to RHEL6, in later upstream versions
we folded the binary back to sssd proper)

> 
> I have now this in /etc/sudo-ldap.conf:
> 
> TLS_CACERT /etc/ipa/ca.crt
> TLS_REQCERT demand
> SASL_MECH GSSAPI
> BASE dc=sub,dc=domain,dc=tld
> URI ldaps://kdc01.sub.domain.tld ldaps://kdc02.sub.domain.tld
> ROOTUSE_SASL on
> SUDOERS_BASE ou=sudoers,dc=sub,dc=domain,dc=tld
> SUDOERS_DEBUG 0

You should include "sss" as the data source in /etc/nsswitch.conf
# grep sudo /etc/nsswitch.conf
sudoers:    files sss

> 
> and this in sssd.conf
> 
> [sssd]
> domains = sub.domain.tld
> services = nss, pam, ssh

'sudo' needs to be included as one of the services.

> config_file_version = 2
> 
> [nss]
> 
> [pam]
> 
> [domain/sub.domain.tld]
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = sub.domain.tld
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> chpass_provider = ipa
> ipa_dyndns_update = True
> ipa_server = _srv_, kdc01.sub.domain.tld
> ldap_tls_cacert = /etc/ipa/ca.crt
> entry_cache_netgroup_timeout = 300

Unfortunately with 6.5 there is still no sudo ipa provider, there might
be with one in 6.6. So in order to download the sudo rules you need to
configure the LDAP sudo provider manually. It would look something like:

sudo_provider = ldap
ldap_uri = ldap://kdc01.sub.domain.tld
ldap_sudo_search_base = ou=sudoers,dc=sub,dc=domain,dc=tld
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/client.sub.domain.tld
ldap_sasl_realm = SUB.DOMAIN.TLD
krb5_server = kdc01.sub.domain.tld

More information about the Freeipa-users mailing list