[Freeipa-users] Valid documentation for sudo setup for version 4.0.3

Vaclav Adamec vaclav.adamec at suchy-zleb.cz
Fri Oct 17 07:13:33 UTC 2014

Thanks for your time. Man pages were the first, but it's not working just
base on that. Find out  that libsss_sudo is desperately needed and it's not
required by ipa-client rpm. So now I only need to check sudo policy in IPA,
as there is obviously some issue, but connection is working.

yum install ipa-client libsss_sudo
ipa-client-install ...
/etc/sssd/sssd.conf (ldap setup based on man)
/etc/nsswitch.conf  (sss provider for sudoers based on man)

and result:

[vaclav.adamec at ipa-client~]$ groups
vaclav.adamec admins

[vaclav.adamec at ipa-client ~]$ sudo -l
vaclav.adamec is not allowed to run sudo on ipa-client.  This incident will
be reported.

(Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [vaclav.adamec] from [<ALL>]
(Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [vaclav.adamec at test]
(Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [vaclav.adamec at test]
(Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [vaclav.adamec] from [test]
(Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
(Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
to get sudo rules from cache
(Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
(Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 1 rules for [vaclav.adamec at test]

but ldap search:

 ldapsearch -x -h localhost -p 389 -b ou=sudoers,dc=test

# sudoers, test
dn: ou=sudoers,dc=test
objectClass: extensibleObject
ou: sudoers

# Admins_can_do_anything, sudoers, test <http://cz.avg.com>
dn: cn=Admins_can_run_whomai_as_root,ou=sudoers,dc=test
sudoUser: %admins
sudoHost: +all
objectClass: sudoRole
objectClass: top
sudoRunAsUser: root
sudoCommand: /usr/bin/whoami
cn: Admins_can_run_whomai_as_root

# search result
search: 2
result: 0 Success

On Fri, Oct 17, 2014 at 8:39 AM, Alexander Bokovoy <abokovoy at redhat.com>

> On Fri, 17 Oct 2014, Vaclav Adamec wrote:
>> Mixture of bot method is result of testing, just registration via
>> ipa-client (maybe CentOS 6 has only ipa-client-3.0.0-37 ?) definitely not
>> setup anything about sudo. I'll try to build 4.0.3 client for CentOS 6,
>> but
>> right now:
> Installing 4.x (client or server) is not supported on CentOS 6.x. You
> can use whatever IPA version is available there (3.0).It will not
> automatically configure sudo for you, there you have to follow what
> sssd-sudo(5) tells you to do.
> My primary point was that we have this documentation available on every
> machine where SSSD is in use, no need to search over internet.
> P.S. Please reply to the list, not personally.
> --
> / Alexander Bokovoy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141017/44b45fd5/attachment.htm>

More information about the Freeipa-users mailing list