[Freeipa-users] SSS for sudoers confusion

Alexander Bokovoy abokovoy at redhat.com
Tue Mar 11 06:54:04 UTC 2014 

On Tue, 11 Mar 2014, David Taylor wrote:
>@Dmitri - Thank you for your reply, that is actually one of the documents
>I read, however there seem to be some steps missing as with the
>configuration elements in place sudo doesn't work
>
>dtaylor is not allowed to run sudo on ipa-client.  This incident will be
>reported.
>
>There is some note about configuring a password on the ldap user however
>following the suggestions I found didn't actually work.
 From your original email I can see that you put sudo provider
configuration into wrong section in sssd.conf. No wonder it does not
work. Any provider configuration must be in the domain section.

In RHEL 6.5 and before you can do like I describe here:
https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html

In Fedora 20 you don't need to add anything for IPA case because sssd
will set everything up by default for IPA provider.

Did you actually read man page sssd-sudo(5)? It has exact configuration
changes you need to do.

>
>
>Best regards
>David Taylor
>
>
>-----Original Message-----
>From: freeipa-users-bounces at redhat.com
>[mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal
>Sent: Tuesday, 11 March 2014 10:49 AM
>To: freeipa-users at redhat.com
>Subject: Re: [Freeipa-users] SSS for sudoers confusion
>
>On 03/10/2014 07:34 PM, David Taylor wrote:
>> Hi all,
>>             I'm in the process of testing IPA server for centralised
>> authentication of our linux hosts. We run CentOS 6.5 and it's all new
>> so we have no legacy issues.
>>
>> In the lab I've set up an IPA server with the yum install and used a
>> local bind instance which all seems to be working correctly. Where the
>> issues begin is with the sudoers functionality. After reading the
>> manual and consulting Google sensei I found a number of resources that
>> talk about setting up ldap either natively in the nsswitch.conf file
>> or via sssd, I've tried a number of slightly different configurations
>> on the client side with little effect. So the question is "what is the
>> process for configuring an IPA system to handle sudo functionality".
>>
>> Any help is greatly appreciated.
>
>http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>
>>
>> ----------------------nssswitch.conf----------------------------------
>> ----
>> #
>> # /etc/nsswitch.conf
>> #
>> # An example Name Service Switch config file. This file should be #
>> sorted with the most-used services at the beginning.
>> #
>> # The entry '[NOTFOUND=return]' means that the search for an # entry
>> should stop if the search in the previous entry turned # up nothing.
>> Note that if the search failed due to some other reason # (like no NIS
>> server responding) then the search continues with the # next entry.
>> #
>> # Valid entries include:
>> #
>> #       nisplus                 Use NIS+ (NIS version 3)
>> #       nis                     Use NIS (NIS version 2), also called YP
>> #       dns                     Use DNS (Domain Name Service)
>> #       files                   Use the local files
>> #       db                      Use the local database (.db) files
>> #       compat                  Use NIS on compat mode
>> #       hesiod                  Use Hesiod for user lookups
>> #       [NOTFOUND=return]       Stop searching if not found so far
>> #
>>
>> # To use db, put the "db" in front of "files" for entries you want to
>> be # looked up first in the databases # # Example:
>> #passwd:    db files nisplus nis
>> #shadow:    db files nisplus nis
>> #group:     db files nisplus nis
>>
>> passwd:     files sss
>> shadow:     files sss
>> group:      files sss
>>
>> #hosts:     db files nisplus nis dns
>> hosts:      files dns
>>
>> # Example - obey only what nisplus tells us...
>> #services:   nisplus [NOTFOUND=return] files
>> #networks:   nisplus [NOTFOUND=return] files
>> #protocols:  nisplus [NOTFOUND=return] files
>> #rpc:        nisplus [NOTFOUND=return] files
>> #ethers:     nisplus [NOTFOUND=return] files
>> #netmasks:   nisplus [NOTFOUND=return] files
>>
>> bootparams: nisplus [NOTFOUND=return] files
>>
>> ethers:     files
>> netmasks:   files
>> networks:   files
>> protocols:  files
>> rpc:        files
>> services:   files sss
>> sudoers:    files sss
>> netgroup:   files sss
>>
>> publickey:  nisplus
>>
>> automount:  files sss
>> aliases:    files nisplus
>>
>> ----------------------------------------------------------------------
>> ----
>> -----------------------------
>> ---------------
>> sssd.conf-------------------------------------------------------------
>> ----
>> -----------
>> [domain/test.example.net]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> krb5_realm = TEST.EXAMPLE.NET
>> krb5_server = ipa-server-1.test.example.net ipa_domain =
>> test.example.net id_provider = ipa auth_provider = ipa access_provider
>> = ipa ipa_hostname = ipa-server-1.test.example.net chpass_provider =
>> ipa ipa_dyndns_update = True ipa_server = _srv_,
>> ipa-server-1.test.example.net ldap_tls_cacert = /etc/ipa/ca.crt
>> ldap_uri = ldap://ipa-server-1.test.example.net
>>
>> [sssd]
>> services = nss, pam, ssh, sudo
>> config_file_version = 2
>> sudo_provider = ldap
>> ldap_sudo_search_base = ou=sudoers,dc=test,dc=example,dc=net
>> ldap_sasl_mech = GSSAPI
>> ldap_sasl_authid = host/ipa-client.test.example.net ldap_sasl_realm =
>> TEST.EXAMPLE.NET
>>
>> domains = test.example.net
>> [nss]
>>
>> [pam]
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>> ----------------------------------------------------------------------
>> ----
>> -------------------------------
>>
>> Best regards
>> David Taylor
>>
>> David Taylor
>> Head of Engineering - SpeedCast Pacific
>>
>>
>>
>> Level 1, Unit 4F
>> 12 Lord St, Botany
>> NSW, Australia, 2019
>> Office                      +61 2 9531 7555
>> Direct:               +61 2 9086 2787
>> Mobile:              +61 4 3131 1146
>> 24x7 Helpdesk   +61 2 9016 3222
>> Web:                http://www.example.com / www.speedcast.com
>>
>> To strengthen our corporate identity in target markets worldwide,
>> effective 18th January, we have commenced operating under the
>> SpeedCast name. Read More
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>--
>Thank you,
>Dmitri Pal
>
>Sr. Engineering Manager for IdM portfolio Red Hat Inc.
>
>
>-------------------------------
>Looking to carve out IT costs?
>www.redhat.com/carveoutcosts/
>
>
>
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
>
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list