[Freeipa-users] Configuring SUDO on centos and RHEL 5 clients

Dmitri Pal dpal at redhat.com
Thu Apr 9 01:46:42 UTC 2015 

On 04/08/2015 09:04 PM, Martin Chamambo wrote:
> I managed to install my ipa client on centos 5 using this command below
>
>   ipa-client-install --server cyclops.ai.co.zw --domain ai.co.zw
>
>
> and it worked perfectly , i can getent passwd xxxx for users in the freeIPA server which is good.
>
> I am now trying to configure SUDO on centos and there seem to be mixed views on how i can get it working but i have actually embraced the following
>
> Use SSSD, don't use nslcd or anything that has pam_ldap or ldapd in the name
>
> and here are my configs
>
> cat /etc/nsswitch
>
> sudoers:  files sss
>
>
> cat /etc/sssd/sssd.conf
>
> [root at pinnochio ~]# cat /etc/sssd/sssd.conf
> [sssd]
> config_file_version = 2
> services = nss, pam
>
>
> domains = ai.co.zw
> [nss]
>
> [sudo]
>
> [pam]
>
>
> [domain/ai.co.zw]
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = ai.co.zw
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> chpass_provider = ipa
> ipa_server = _srv_, cyclops.ai.co.zw
> ldap_tls_cacert = /etc/ipa/ca.crt
>
>
> wanted to add sudo services and ssh services on the Line services = nss, pam and kept getting error
>
> (Thu Apr  9 02:04:35 2015) [sssd] [get_monitor_config] (0): Invalid service sudo
> (Thu Apr  9 02:04:36 2015) [sssd] [get_monitor_config] (0): Invalid service sudo
> (Thu Apr  9 02:08:27 2015) [sssd] [get_monitor_config] (0): Invalid service sudo
> (Thu Apr  9 02:08:59 2015) [sssd] [get_monitor_config] (0): Invalid service sudo
> (Thu Apr  9 02:09:35 2015) [sssd] [get_monitor_config] (0): Invalid service sudo
> (Thu Apr  9 02:10:05 2015) [sssd] [get_monitor_config] (0): Invalid service ssh
>
>
> i guess there is a different way of configuring SUDO on RHEL 5 or centos 5
>
>
The sudo and ssh support was added later than the version of SSSD that 
runs on CentOS5.
Also the version of the sudo on 5 does not have integration with SSSD yet.
The recommended approach is to configure sudo using its own LDAP 
capabilities as documented in the sudo manuals and man pages for that 
version.


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list