[Freeipa-users] Is it possible to set up SUDO with redudancy

Wed Nov 26 09:07:41 UTC 2014

On (25/11/14 19:39), William Muriithi wrote:
>Implications of adding above is that SUDO would break if the
>> hardcoded ipa is not available even if there is another replica somewhere
>> in the network. Is that correct assumption?
>>
>> Is there a better way of doing it that I have missed?
>>
>
>Which version of sssd do you have?
>sssd >= 1.10 has native ipa suod providers and you don't need to use
>"sudo_provider = ldap".
>
>----------------------------
>
>Sorry, responding from blackberry which don't seen to indent the question I am responding to.
>
>This is sssd version I am using. Certainly newer than 1.10. Do you mind pointing me to the recommended way of handling SUDO now?
>
>
>‎
>sssd-common-1.11.2-68.el7_0.6.x86_64
>sssd-ipa-1.11.2-68.el7_0.6.x86_64
>sssd-1.11.2-68.el7_0.6.x86_64
>sssd-client-1.11.2-68.el7_0.6.x86_64
>sssd-ad-1.11.2-68.el7_0.6.x86_64
>sssd-proxy-1.11.2-68.el7_0.6.x86_64
>python-sssdconfig-1.11.2-68.el7_0.6.noarch
>sssd-common-pac-1.11.2-68.el7_0.6.x86_64
>sssd-krb5-1.11.2-68.el7_0.6.x86_64
>sssd-krb5-common-1.11.2-68.el7_0.6.x86_64
>sssd-ldap-1.11.2-68.el7_0.6.x86_64
>
>
If you call ipa-client-install then sssd.conf needn't be changed.
You just need to configure nsswitch.conf.
It shoudl contain "sudoers: files sss". NIS domain name should be set
corectly as well.

Detail description is in manual page: "man sssd-sudo"

LS