[Freeipa-users] FW: SSS for sudoers confusion (Solved)
David Taylor
dtaylor at pactelint.com
Tue Mar 11 02:57:16 UTC 2014
Ok here is the info that finally made it all work
https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html
I seem to have had all the elements in there already so I suspect it was a
statement order issue
Best regards
David Taylor
-----Original Message-----
From: freeipa-users-bounces at redhat.com
[mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal
Sent: Tuesday, 11 March 2014 10:49 AM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] SSS for sudoers confusion
On 03/10/2014 07:34 PM, David Taylor wrote:
> Hi all,
> I'm in the process of testing IPA server for centralised
> authentication of our linux hosts. We run CentOS 6.5 and it's all new
> so we have no legacy issues.
>
> In the lab I've set up an IPA server with the yum install and used a
> local bind instance which all seems to be working correctly. Where the
> issues begin is with the sudoers functionality. After reading the
> manual and consulting Google sensei I found a number of resources that
> talk about setting up ldap either natively in the nsswitch.conf file
> or via sssd, I've tried a number of slightly different configurations
> on the client side with little effect. So the question is "what is the
> process for configuring an IPA system to handle sudo functionality".
>
> Any help is greatly appreciated.
http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>
> ----------------------nssswitch.conf----------------------------------
> ----
> #
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be #
> sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an # entry
> should stop if the search in the previous entry turned # up nothing.
> Note that if the search failed due to some other reason # (like no NIS
> server responding) then the search continues with the # next entry.
> #
> # Valid entries include:
> #
> # nisplus Use NIS+ (NIS version 3)
> # nis Use NIS (NIS version 2), also called YP
> # dns Use DNS (Domain Name Service)
> # files Use the local files
> # db Use the local database (.db) files
> # compat Use NIS on compat mode
> # hesiod Use Hesiod for user lookups
> # [NOTFOUND=return] Stop searching if not found so far
> #
>
> # To use db, put the "db" in front of "files" for entries you want to
> be # looked up first in the databases # # Example:
> #passwd: db files nisplus nis
> #shadow: db files nisplus nis
> #group: db files nisplus nis
>
> passwd: files sss
> shadow: files sss
> group: files sss
>
> #hosts: db files nisplus nis dns
> hosts: files dns
>
> # Example - obey only what nisplus tells us...
> #services: nisplus [NOTFOUND=return] files
> #networks: nisplus [NOTFOUND=return] files
> #protocols: nisplus [NOTFOUND=return] files
> #rpc: nisplus [NOTFOUND=return] files
> #ethers: nisplus [NOTFOUND=return] files
> #netmasks: nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files sss
> sudoers: files sss
> netgroup: files sss
>
> publickey: nisplus
>
> automount: files sss
> aliases: files nisplus
>
> ----------------------------------------------------------------------
> ----
> -----------------------------
> ---------------
> sssd.conf-------------------------------------------------------------
> ----
> -----------
> [domain/test.example.net]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> krb5_realm = TEST.EXAMPLE.NET
> krb5_server = ipa-server-1.test.example.net ipa_domain =
> test.example.net id_provider = ipa auth_provider = ipa access_provider
> = ipa ipa_hostname = ipa-server-1.test.example.net chpass_provider =
> ipa ipa_dyndns_update = True ipa_server = _srv_,
> ipa-server-1.test.example.net ldap_tls_cacert = /etc/ipa/ca.crt
> ldap_uri = ldap://ipa-server-1.test.example.net
>
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
> sudo_provider = ldap
> ldap_sudo_search_base = ou=sudoers,dc=test,dc=example,dc=net
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/ipa-client.test.example.net ldap_sasl_realm =
> TEST.EXAMPLE.NET
>
> domains = test.example.net
> [nss]
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
> ----------------------------------------------------------------------
> ----
> -------------------------------
>
> Best regards
> David Taylor
>
> David Taylor
> Head of Engineering - SpeedCast Pacific
>
>
>
> Level 1, Unit 4F
> 12 Lord St, Botany
> NSW, Australia, 2019
> Office +61 2 9531 7555
> Direct: +61 2 9086 2787
> Mobile: +61 4 3131 1146
> 24x7 Helpdesk +61 2 9016 3222
> Web: http://www.example.com / www.speedcast.com
>
> To strengthen our corporate identity in target markets worldwide,
> effective 18th January, we have commenced operating under the
> SpeedCast name. Read More
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list