[Freeipa-users] Freeipa and sudo

Danila Ladner ladner.danila at gmail.com
Tue Jul 5 13:58:29 UTC 2016 

What about /etc/nsswitch.conf?
Does it have "sudo: files sss"?

On Mon, Jul 4, 2016 at 3:50 AM, Tomas Simecek <simecek.tomas at gmail.com>
wrote:

> Dear freeipa users/admins,
> I'm trying to implement freeipa in our company, so that our Unix admins
> can authenticate on Linux servers using their Windows AD account.
> Following this guide
> https://www.freeipa.org/page/Active_Directory_trust_setup it seems to
> work well, they can login without problems.
> What I cannot make working is sudo from their AD accounts on Linux.
>
> No matter what I try, it is still:
>
> sudo systemctl restart httpd
> [sudo] password for simecek.tomas at sd-stc.cz:
> Sorry, try again.
>
> Here's our setup:
> Freeipa server: CentOS Linux release 7.2.1511 (Core),
> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
> Freeipa client: the same
>
> AD domain name: sd-stc.cz
> IPA domain: linuxdomain.cz
>
> When digging in logs and googling, I realized that the problem on client
> side could be:
>
> [root at spcss-2t-www ~]# kinit -k
> kinit: Cannot determine realm for host (principal host/spcss-2t-www@)
>
> But this seems to work:
> [root at spcss-2t-www ~]# kinit simecek.tomas at SD-STC.CZ
> Password for simecek.tomas at SD-STC.CZ:
> [root at spcss-2t-www ~]# klist
> Default principal: simecek.tomas at SD-STC.CZ
>
> Valid starting       Expires              Service principal
> 07/04/2016 09:36:26  07/04/2016 19:36:26  krbtgt/SD-STC.CZ at SD-STC.CZ
>         renew until 07/05/2016 09:36:23
>
> My /etc/sssd/sssd.conf:
> [domain/linuxdomain.cz]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = linuxdomain.cz
> krb5_realm = LINUXDOMAIN.CZ
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = spcss-2t-www.linuxdomain.cz
> chpass_provider = ipa
> ipa_server = svlxxipap.linuxdomain.cz
> ldap_tls_cacert = /etc/ipa/ca.crt
> override_shell = /bin/bash
> sudo_provider = ldap
> ldap_uri = ldap://svlxxipap.linuxdomain.cz
> ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/spcss-2t-www.linuxdomain.cz at LINUXDOMAIN.CZ
> ldap_sasl_realm = LINUXDOMAIN.CZ
> krb5_server = svlxxipap.linuxdomain.cz
>
> [sssd]
> services = nss, sudo, pam, ssh
> config_file_version = 2
>
> domains = linuxdomain.cz
> [nss]
> homedir_substring = /home
> ....
>
> My /etc/krb5.conf:
> #File modified by ipa-client-install
>
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [libdefaults]
>   default_realm = LINUXDOMAIN.CZ
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   rdns = false
>   ticket_lifetime = 24h
>   forwardable = yes
>   udp_preference_limit = 0
>   default_ccache_name = KEYRING:persistent:%{uid}
>
>
> [realms]
>   LINUXDOMAIN.CZ = {
>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>   }
>
>
> [domain_realm]
>   .linuxdomain.cz = LINUXDOMAIN.CZ
>   linuxdomain.cz = LINUXDOMAIN.CZ
>
> Would you please suggest which way to investigate?
>
> Thanks
>
> Tomas Simecek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160705/e7da9a66/attachment.htm>

More information about the Freeipa-users mailing list