[Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0
Jakub Hrozek
jhrozek at redhat.com
Tue Apr 7 10:28:14 UTC 2015
On Tue, Apr 07, 2015 at 11:58:35AM +0200, Chamambo Martin wrote:
> I have deployed FreeIPA on RedHat 7 and everything is working perfectly fine
> except when I try to configure SUDO. All my clients are all centos 6 and
> RedHat 6 clients and have the below config . I have followed every how-to
> and I just can't seem to get it.I have configured the sudo commands and
> rules mostly for reading files /usr/bin/vim and /usr/bin/less for reading
> log files
>
>
>
> /etc/nssswitch
>
>
>
> sudoers: files sss
>
>
>
> cat /etc/sssd/sssd.conf
>
>
>
>
>
> [root at nemo ~]# cat /etc/sssd/sssd.conf
>
> [domain/default]
it is really strange that you have a domain called default (that's the
name authconfig normally uses) set to ldap provider. Where does this
come from, did you add it manually? This really sounds wrong and I would
suggest to remove this domain, but I'd also like to know why did you add
it in the first place?
>
>
>
> autofs_provider = ldap
>
> cache_credentials = True
>
> krb5_realm = XX.XX.XX
>
> krb5_server = XX.XX.XX.XX:88
>
> id_provider = ldap
>
> auth_provider = ldap
>
> chpass_provider = ldap
>
> ldap_id_use_start_tls = False
>
> ldap_tls_cacertdir = /etc/openldap/cacerts
>
> [domain/ai.co.zw]
>
>
>
> debug_level = 0x07F0
>
> cache_credentials = True
>
> krb5_store_password_if_offline = True
>
> ipa_domain = ai.co.zw
>
> id_provider = ipa
>
> auth_provider = ipa
>
> access_provider = ipa
>
> ipa_hostname = XX.XX.XX.XX
>
> chpass_provider = ipa
>
> ipa_server = _srv_, XX.XX.XX.XX
>
> ldap_tls_cacert = /etc/ipa/ca.crt
What RHEL/CentOS version are you running in particular? Starting with
6.6, it should be enough to do:
sudo_provider = ipa
>
>
>
> [sssd]
>
> services = nss, sudo, pam, autofs, ssh
>
> config_file_version = 2
>
>
>
> domains = default, XX.XX.XX
>
> [nss]
>
>
>
> homedir_substring = /home
>
>
>
> [pam]
>
>
>
> [sudo]
>
>
>
> [autofs]
>
>
>
> [ssh]
>
>
>
> [pac]
>
>
>
>
>
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list