<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 12/17/2013 06:34 PM, Dimitar Georgievski wrote: <blockquote cite="mid:CAHSnsoYAeAipJTS_4ipvtf-b7gcASn016QmfZbaZ1Q7A18qS_w@mail.gmail.com" type="cite"> <div dir="ltr">Hi, <div><br> </div> <div>I am running FreeIPA 3.3.3 on CentOS 6.5. Everything works fine except that I have problem enforcing sudo policies on the hosts that are part of the managed domain. </div> <div><br> </div> <div>When trying to run the following simple command as a user managed by FreeIPA I got the following response:</div> <div><br> </div> <div><i>> sudo /usr/bin/vim test.txt<br> </i></div> <div><i>jsmith is not allowed to run sudo on myhost. This incident will be reported.</i></div> <div><i><br> </i></div> <div><i> </i>I might have missed in the configuration of the serve or SSSD on the client host.</div> <div><br> </div> <div>Is there any guideline for sudo integration with FreeIPA?</div> <div><br> </div> <div> The following is the SSSD configuration on the client host:</div> <div><br> </div> <div> <div> <div>[domain/<a moz-do-not-send="true" href="http://example.net">example.net</a>]</div> <div><br> </div> <div>cache_credentials = True</div> <div>krb5_store_password_if_offline = True</div> <div>ipa_domain = <a moz-do-not-send="true" href="http://example.net">example.net</a></div> <div>id_provider = ipa</div> <div>auth_provider = ipa</div> <div>access_provider = ipa</div> <div>sudo_provider = ldap</div> <div>ldap_tls_cacert = /etc/ipa/ca.crt</div> <div>ipa_hostname = <a moz-do-not-send="true" href="http://ipaserver.example.net">ipaserver.example.net</a></div> <div>chpass_provider = ipa</div> <div>ipa_server = _srv_</div> <div>ipa_backup_server = <a moz-do-not-send="true" href="http://replica.example.net">replica.example.net</a></div> <div><br> </div> <div><br> </div> <div>dns_discovery_domain = <a moz-do-not-send="true" href="http://example.net">example.net</a></div> <div><br> </div> <div><br> </div> <div><br> </div> <div>[sssd]</div> <div>services = nss, pam, ssh, sudo</div> <div>config_file_version = 2</div> <div><br> </div> <div>domains = <a moz-do-not-send="true" href="http://example.net">example.net</a></div> <div>[nss]</div> <div><br> </div> <div>[pam]</div> <div><br> </div> <div>[sudo]</div> <div>debug_level = 0x3ff0</div> <div><br> </div> <div>[autofs]</div> <div><br> </div> <div>[ssh]</div> <div><br> </div> <div>[pac]</div> </div> </div> <div><br> </div> <div>Thanks,</div> <div><br> </div> <div>Dimitar</div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> <a class="moz-txt-link-freetext" href="http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf">http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf</a><br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>