[Freeipa-users] ipa / sudoers on centos 6.3 client

Chris Card ctcard at hotmail.com
Fri Jan 2 15:19:50 UTC 2015 

I have existing machines running CentOS 6.3 which I want to include in a freeipa domain.
The domain controller machine is running Fedora 21 and freeipa-server-4.1.1-2 while the latest version of ipa I can find that runs on CentOS 6.3 is ipa-client-3.0.0-37.el6.x86_64.
I have successfully run ipa-client-install on the CentOS 6.3 client and set up users who can ssh to the client using ssh-keys.
The problem is that I can't get sudo rules to work. I know that the ipa client software version 3.0.0 doesn't automatically set up all the configuration for sssd to control sudo access, but I have set up all the configuration necessary manually:

On the client, /etc/nsswitch.conf has 
      sudoers files sss   
/etc/sssd/sssd/conf has
[domain/default]
cache_credentials = Truekrb5_realm = <REALM>krb5_server = <ipa server>:88id_provider = ldapauth_provider = ldapchpass_provider = ldapldap_tls_cacertdir = /etc/openldap/cacerts[domain/<domain>]
cache_credentials = Truekrb5_store_password_if_offline = Trueipa_domain = <domain>id_provider = ipaauth_provider = ipaaccess_provider = ipachpass_provider = ipaipa_dyndns_update = Trueipa_server = <ipa server>ldap_tls_cacert = /etc/ipa/ca.crtsudo_provider = ldapldap_uri = ldap://<ipa server>ldap_sudo_search_base = ou=sudoers,<domain base dn>ldap_sasl_mech = GSSAPIldap_sasl_authid = host/<client fqdn>ldap_sasl_realm = <REALM>krb5_server = <ipa server>debug_level = 9[sssd]services = nss, pam, ssh, sudoconfig_file_version = 2
domains = <domain>, defaultdebug_level = 9[nss]debug_level = 9
[pam]debug_level = 9
[sudo]debug_level = 9[autofs]
I have validated the ldap sasl configuration using ldapsearch, so I'm sure they are correct.
The nisdomainname command returns the domain name.
The sudo rules are:# ipa sudorule-find--------------------2 Sudo Rules matched--------------------  Rule name: sudo-host1  Enabled: TRUE  Command category: all  RunAs User category: all  User Groups: host1-rw  Host Groups: host1  Sudo Option: -authenticate
  Rule name: sudo-host2  Enabled: TRUE  User Groups: host2-rw  Host Groups: host2  Sudo Option: -authenticate----------------------------Number of entries returned 2----------------------------
When a user in user group host1-rw sshs to a client in host group host1 and runs "sudo su -" the user gets prompted for a password even though the sudo option -authenticate is set.I'm not convinced that sudo is even attempting to use sssd, but I'm not sure how to confirm this.
I have seen some references to /etc/sudo-ldap.conf in online discussions of similar issues. This file exists on my client, but everything is commented out. Do I need to put the ldap client configuration in /etc/sudo-ldap.conf as well as /etc/sssd/sssd.conf for CentOS 6.3 clients?
Any ideas about how to work out what is failing?
Chris

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150102/d06a5751/attachment.htm>

More information about the Freeipa-users mailing list