[Freeipa-users] SSS for sudoers confusion
Dmitri Pal
dpal at redhat.com
Mon Mar 10 23:48:31 UTC 2014
On 03/10/2014 07:34 PM, David Taylor wrote:
> Hi all,
> I'm in the process of testing IPA server for centralised
> authentication of our linux hosts. We run CentOS 6.5 and it's all new so
> we have no legacy issues.
>
> In the lab I've set up an IPA server with the yum install and used a local
> bind instance which all seems to be working correctly. Where the issues
> begin is with the sudoers functionality. After reading the manual and
> consulting Google sensei I found a number of resources that talk about
> setting up ldap either natively in the nsswitch.conf file or via sssd,
> I've tried a number of slightly different configurations on the client
> side with little effect. So the question is "what is the process for
> configuring an IPA system to handle sudo functionality".
>
> Any help is greatly appreciated.
http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>
> ----------------------nssswitch.conf--------------------------------------
> #
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be
> # sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Valid entries include:
> #
> # nisplus Use NIS+ (NIS version 3)
> # nis Use NIS (NIS version 2), also called YP
> # dns Use DNS (Domain Name Service)
> # files Use the local files
> # db Use the local database (.db) files
> # compat Use NIS on compat mode
> # hesiod Use Hesiod for user lookups
> # [NOTFOUND=return] Stop searching if not found so far
> #
>
> # To use db, put the "db" in front of "files" for entries you want to be
> # looked up first in the databases
> #
> # Example:
> #passwd: db files nisplus nis
> #shadow: db files nisplus nis
> #group: db files nisplus nis
>
> passwd: files sss
> shadow: files sss
> group: files sss
>
> #hosts: db files nisplus nis dns
> hosts: files dns
>
> # Example - obey only what nisplus tells us...
> #services: nisplus [NOTFOUND=return] files
> #networks: nisplus [NOTFOUND=return] files
> #protocols: nisplus [NOTFOUND=return] files
> #rpc: nisplus [NOTFOUND=return] files
> #ethers: nisplus [NOTFOUND=return] files
> #netmasks: nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files sss
> sudoers: files sss
> netgroup: files sss
>
> publickey: nisplus
>
> automount: files sss
> aliases: files nisplus
>
> --------------------------------------------------------------------------
> -----------------------------
> ---------------
> sssd.conf-----------------------------------------------------------------
> -----------
> [domain/test.example.net]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> krb5_realm = TEST.EXAMPLE.NET
> krb5_server = ipa-server-1.test.example.net
> ipa_domain = test.example.net
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ipa-server-1.test.example.net
> chpass_provider = ipa
> ipa_dyndns_update = True
> ipa_server = _srv_, ipa-server-1.test.example.net
> ldap_tls_cacert = /etc/ipa/ca.crt
> ldap_uri = ldap://ipa-server-1.test.example.net
>
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
> sudo_provider = ldap
> ldap_sudo_search_base = ou=sudoers,dc=test,dc=example,dc=net
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/ipa-client.test.example.net
> ldap_sasl_realm = TEST.EXAMPLE.NET
>
> domains = test.example.net
> [nss]
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
> --------------------------------------------------------------------------
> -------------------------------
>
> Best regards
> David Taylor
>
> David Taylor
> Head of Engineering - SpeedCast Pacific
>
>
>
> Level 1, Unit 4F
> 12 Lord St, Botany
> NSW, Australia, 2019
> Office +61 2 9531 7555
> Direct: +61 2 9086 2787
> Mobile: +61 4 3131 1146
> 24x7 Helpdesk +61 2 9016 3222
> Web: http://www.example.com / www.speedcast.com
>
> To strengthen our corporate identity in target markets worldwide,
> effective 18th January, we have commenced operating under the SpeedCast
> name. Read More
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list