[Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
Lukas Slebodnik
lslebodn at redhat.com
Wed Apr 8 07:43:06 UTC 2015
On (08/04/15 09:25), Chamambo Martin wrote:
>Good day
>
>I am running FreeIPA, version: 4.1.0 and everything is working well except
>SUDO configuration.
>
ipa-client-install on CentOS 7.1 should configure sudo by default.
>I have 3 questions
>
> 1: I have configured the bare minimum sudo configuration without
>hostgroups and netgroups , just sudo commands and sudo command groups that
>have been added as sudo rules .....this should work right
yes.
and sudo rules with netgroups shuld work on CentOS 7.1 as well
because nisdomainname should be configured.
> 2: I have centos 6.6 and redhat 6.6 clients using the sssd
>service ,is that enough for sudo to work if the configs are as below
>
>
>cat /etc/nsswitch.conf
>
>sudoers: files sss
>
>cat /etc/sssd/sssd.conf
>
>[domain/ai.co.zw]
>
>debug_level=6
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = ai.co.zw
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>ipa_hostname = ironhide.ai.co.zw
>chpass_provider = ipa
>ipa_server = _srv_, cyclops.ai.co.zw
>ldap_tls_cacert = /etc/ipa/ca.crt
>
>[sssd]
>services = nss, sudo, pam, ssh
>config_file_version = 2
>
>
>domains = ai.co.zw
>[nss]
>homedir_substring = /home
The default value of this option is "/home"
You can remove it. Where did you find it?
>
>[pam]
>
>[sudo]
>
>[autofs]
>
>[ssh]
>
If you do not use netgroups (or hostgroups) in sudo rules
then this configuration should work on rhel 6.6 (sssd >= 1.10)
The same steps are decribed in manual page sssd-sudo.
LS
More information about the Freeipa-users
mailing list