[Freeipa-users] SSS for sudoers confusion
David Taylor
dtaylor at pactelint.com
Mon Mar 10 23:34:11 UTC 2014
Hi all,
I'm in the process of testing IPA server for centralised
authentication of our linux hosts. We run CentOS 6.5 and it's all new so
we have no legacy issues.
In the lab I've set up an IPA server with the yum install and used a local
bind instance which all seems to be working correctly. Where the issues
begin is with the sudoers functionality. After reading the manual and
consulting Google sensei I found a number of resources that talk about
setting up ldap either natively in the nsswitch.conf file or via sssd,
I've tried a number of slightly different configurations on the client
side with little effect. So the question is "what is the process for
configuring an IPA system to handle sudo functionality".
Any help is greatly appreciated.
----------------------nssswitch.conf--------------------------------------
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files sss
shadow: files sss
group: files sss
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
sudoers: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
--------------------------------------------------------------------------
-----------------------------
---------------
sssd.conf-----------------------------------------------------------------
-----------
[domain/test.example.net]
cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = TEST.EXAMPLE.NET
krb5_server = ipa-server-1.test.example.net
ipa_domain = test.example.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa-server-1.test.example.net
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa-server-1.test.example.net
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_uri = ldap://ipa-server-1.test.example.net
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=test,dc=example,dc=net
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/ipa-client.test.example.net
ldap_sasl_realm = TEST.EXAMPLE.NET
domains = test.example.net
[nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
--------------------------------------------------------------------------
-------------------------------
Best regards
David Taylor
David Taylor
Head of Engineering - SpeedCast Pacific
Level 1, Unit 4F
12 Lord St, Botany
NSW, Australia, 2019
Office +61 2 9531 7555
Direct: +61 2 9086 2787
Mobile: +61 4 3131 1146
24x7 Helpdesk +61 2 9016 3222
Web: http://www.example.com / www.speedcast.com
To strengthen our corporate identity in target markets worldwide,
effective 18th January, we have commenced operating under the SpeedCast
name. Read More
More information about the Freeipa-users
mailing list