[Freeipa-users] config sudo with ipa
Lukas Slebodnik
lslebodn at redhat.com
Fri Mar 27 14:05:31 UTC 2015
On (27/03/15 14:56), Benoit Rousselle wrote:
>hi,
>
>I setup a sudo config in client ipa and set rule in ipa server.
>sudo rules from ipa are not found : it return 0 rules for the user
>
>This config is ambiguous. Is there a method to check if everything is OK ?
>The best way for this moment is to set debug_level on sssd. But I'm not
>sure that the problem come from there.
>
>
>(Fri Mar 27 14:12:36 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event
>0x1cba830 "ltdb_callback"
>
>(Fri Mar 27 14:12:36 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
>(0x0200): Searching sysdb with
>[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=my_user)(sudoUser=#1600001)(sudoUser=%utilisateur_a)(sudoUser=%adupont)(sudoUser=+*)))]
>(Fri Mar 27 14:12:36 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event
>"ltdb_callback": 0x1cb9000
>
>(Fri Mar 27 14:12:36 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event
>"ltdb_timeout": 0x1cb9240
>
>(Fri Mar 27 14:12:36 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer
>event 0x1cb9240 "ltdb_timeout"
>
>(Fri Mar 27 14:12:36 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event
>0x1cb9000 "ltdb_callback"
>
>(Fri Mar 27 14:12:36 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
>(0x0400): Returning 0 rules for [my_user at my_domain.com]
>(Fri Mar 27 14:12:36 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle
>timer re-set for client [0x1cb30e0][18]
>
>
>My client config :
>[domain/my_domain.com]
>debug_level = 6
>cache_credentials = True
>krb5_store_password_if_offline = True
>krb5_realm = MY_IDMDOMAIN.COM
>ipa_domain = my_domain.com
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>ipa_hostname = myserver.my_domain.com
>chpass_provider = ipa
>ipa_server = _srv_, idm.my_domain.com
>ldap_tls_cacert = /etc/ipa/ca.crt
>[sssd]
>services = nss, pam, ssh, sudo
>config_file_version = 2
>
>domains = addcnet.com
>[nss]
>
>[pam]
>
>[sudo]
>debug_level = 9
>
>[autofs]
>
>[ssh]
>
>[pac]
>
>----
>server redhat : LINUX 6.4
rhel 6.4 has old version of sssd which does not have native ipa sudo provider.
You will need to configure sudo with sudo_provider = ldap.
Please follow instructions in manual page "sssd-sudo"
LS
More information about the Freeipa-users
mailing list