[Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0

Jakub Hrozek jhrozek at redhat.com
Tue Apr 7 10:28:14 UTC 2015 

On Tue, Apr 07, 2015 at 11:58:35AM +0200, Chamambo Martin wrote:
> I have deployed FreeIPA on RedHat 7 and everything is working perfectly fine
> except when I try to configure SUDO. All my clients are all centos 6 and
> RedHat 6 clients and have the below config . I have followed every how-to
> and I just can't seem to get it.I have configured the sudo commands and
> rules mostly for reading files /usr/bin/vim and /usr/bin/less for reading
> log files
> 
>  
> 
> /etc/nssswitch
> 
>  
> 
> sudoers: files sss
> 
>  
> 
> cat /etc/sssd/sssd.conf
> 
>  
> 
>                 
> 
> [root at nemo ~]# cat /etc/sssd/sssd.conf 
> 
> [domain/default]

it is really strange that you have a domain called default (that's the
name authconfig normally uses) set to ldap provider. Where does this
come from, did you add it manually? This really sounds wrong and I would
suggest to remove this domain, but I'd also like to know why did you add
it in the first place?

> 
>  
> 
> autofs_provider = ldap
> 
> cache_credentials = True
> 
> krb5_realm = XX.XX.XX
> 
> krb5_server = XX.XX.XX.XX:88
> 
> id_provider = ldap
> 
> auth_provider = ldap
> 
> chpass_provider = ldap
> 
> ldap_id_use_start_tls = False
> 
> ldap_tls_cacertdir = /etc/openldap/cacerts
> 
> [domain/ai.co.zw]
> 
>  
> 
> debug_level = 0x07F0
> 
> cache_credentials = True
> 
> krb5_store_password_if_offline = True
> 
> ipa_domain = ai.co.zw
> 
> id_provider = ipa
> 
> auth_provider = ipa
> 
> access_provider = ipa
> 
> ipa_hostname = XX.XX.XX.XX
> 
> chpass_provider = ipa
> 
> ipa_server = _srv_, XX.XX.XX.XX
> 
> ldap_tls_cacert = /etc/ipa/ca.crt

What RHEL/CentOS version are you running in particular? Starting with
6.6, it should be enough to do:
    sudo_provider = ipa

> 
>  
> 
> [sssd]
> 
> services = nss, sudo, pam, autofs, ssh
> 
> config_file_version = 2
> 
>  
> 
> domains = default, XX.XX.XX
> 
> [nss]
> 
>  
> 
> homedir_substring = /home
> 
>  
> 
> [pam]
> 
>  
> 
> [sudo]
> 
>  
> 
> [autofs]
> 
>  
> 
> [ssh]
> 
>  
> 
> [pac]
> 
>  
> 
>  
> 
>  
> 
>  
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list