[Freeipa-users] SSS for sudoers confusion

Dmitri Pal dpal at redhat.com
Mon Mar 10 23:48:31 UTC 2014 

On 03/10/2014 07:34 PM, David Taylor wrote:
> Hi all,
>             I'm in the process of testing IPA server for centralised
> authentication of our linux hosts. We run CentOS 6.5 and it's all new so
> we have no legacy issues.
>
> In the lab I've set up an IPA server with the yum install and used a local
> bind instance which all seems to be working correctly. Where the issues
> begin is with the sudoers functionality. After reading the manual and
> consulting Google sensei I found a number of resources that talk about
> setting up ldap either natively in the nsswitch.conf file or via sssd,
> I've tried a number of slightly different configurations on the client
> side with little effect. So the question is "what is the process for
> configuring an IPA system to handle sudo functionality".
>
> Any help is greatly appreciated.

http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf

>
> ----------------------nssswitch.conf--------------------------------------
> #
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be
> # sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Valid entries include:
> #
> #       nisplus                 Use NIS+ (NIS version 3)
> #       nis                     Use NIS (NIS version 2), also called YP
> #       dns                     Use DNS (Domain Name Service)
> #       files                   Use the local files
> #       db                      Use the local database (.db) files
> #       compat                  Use NIS on compat mode
> #       hesiod                  Use Hesiod for user lookups
> #       [NOTFOUND=return]       Stop searching if not found so far
> #
>
> # To use db, put the "db" in front of "files" for entries you want to be
> # looked up first in the databases
> #
> # Example:
> #passwd:    db files nisplus nis
> #shadow:    db files nisplus nis
> #group:     db files nisplus nis
>
> passwd:     files sss
> shadow:     files sss
> group:      files sss
>
> #hosts:     db files nisplus nis dns
> hosts:      files dns
>
> # Example - obey only what nisplus tells us...
> #services:   nisplus [NOTFOUND=return] files
> #networks:   nisplus [NOTFOUND=return] files
> #protocols:  nisplus [NOTFOUND=return] files
> #rpc:        nisplus [NOTFOUND=return] files
> #ethers:     nisplus [NOTFOUND=return] files
> #netmasks:   nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files sss
> sudoers:    files sss
> netgroup:   files sss
>
> publickey:  nisplus
>
> automount:  files sss
> aliases:    files nisplus
>
> --------------------------------------------------------------------------
> -----------------------------
> ---------------
> sssd.conf-----------------------------------------------------------------
> -----------
> [domain/test.example.net]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> krb5_realm = TEST.EXAMPLE.NET
> krb5_server = ipa-server-1.test.example.net
> ipa_domain = test.example.net
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ipa-server-1.test.example.net
> chpass_provider = ipa
> ipa_dyndns_update = True
> ipa_server = _srv_, ipa-server-1.test.example.net
> ldap_tls_cacert = /etc/ipa/ca.crt
> ldap_uri = ldap://ipa-server-1.test.example.net
>
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
> sudo_provider = ldap
> ldap_sudo_search_base = ou=sudoers,dc=test,dc=example,dc=net
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/ipa-client.test.example.net
> ldap_sasl_realm = TEST.EXAMPLE.NET
>
> domains = test.example.net
> [nss]
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
> --------------------------------------------------------------------------
> -------------------------------
>
> Best regards
> David Taylor
>
> David Taylor
> Head of Engineering - SpeedCast Pacific
>
>
>
> Level 1, Unit 4F
> 12 Lord St, Botany
> NSW, Australia, 2019
> Office                      +61 2 9531 7555
> Direct:               +61 2 9086 2787
> Mobile:              +61 4 3131 1146
> 24x7 Helpdesk   +61 2 9016 3222
> Web:                http://www.example.com / www.speedcast.com
>
> To strengthen our corporate identity in target markets worldwide,
> effective 18th January, we have commenced operating under the SpeedCast
> name. Read More
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list