<div dir="ltr">I should clarify. I was just following the fedora/ipa docs. My Ipa servers are Centos 7.2 and Ipa 4.2. Clients are Centos 6.6 and 3.0.0<div> </div><div><div>$ rpm -q sssd ipa-client</div><div>sssd-1.11.6-30.el6_6.3.x86_64</div><div>ipa-client-3.0.0-42.el6.centos.x86_64</div></div></div><div class="gmail_extra"> <div class="gmail_quote">On Thu, Mar 24, 2016 at 3:04 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Ash Alam wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Based on (How to troubleshoot Sudo) - Maybe i miss spoke when i said it fails completely. Rather it keeps asking for the users password which it does not accept. - I do not have sudo in sssd.conf - I do not have sudoers: sss defined in nsswitch.conf - Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if these needs to be defined - If this is the case then adding them might resolve my issues. - for the special sudo rule(s). is there any way to track it via the gui? I am trying to keep track of all the configs so its not a blackhole for the next person. </blockquote> It would help to know the release of Fedora you're using, the rpm version of ipa-client and sssd. If you are using Fedora freeipa docs they are extremely old, at best F-18. Use the RHEL docs. rob <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> - This is what it looks like on the web gui <div><div class="h5"> Inline image 1 - This is what a clients sssd.conf looks like [domain/xxxxx] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = pp id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = xxxxxx chpass_provider = ipa ipa_server = _srv_, xxxxx ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = XXXXX [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek <<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a> </div></div> <mailto:<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>>> wrote: > On 24 Mar 2016, at 17:21, Ash Alam <<a href="mailto:aalam@paperlesspost.com" target="_blank">aalam@paperlesspost.com</a> <mailto:<a href="mailto:aalam@paperlesspost.com" target="_blank">aalam@paperlesspost.com</a>>> wrote: > > Hello > > I am looking for some guidance on how to properly do sudo with Freeipa. I have read up on what i need to do but i cant seem to get to work correctly. Now with sudoers.d i can accomplish this fairly quickly. > > Example: > > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client > > What i have configured in Freeipa Sudo Rules: > > Sudo Option: !authenticate > Who: dev (group) > Access this host: testing (group) > Run Commands: set of commands that are defined. > > Now when i apply this, it still does not work as it asks for a password for the user and then fails. I am hoping to allow a group to only run certain commands without requiring password. > You should first find out why sudo fails completely. We have this guide that should help you: <a href="https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO" rel="noreferrer" target="_blank">https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO</a> About asking for passwords -- defining a special sudo rule called 'defaults' and then adding '!authenticate' should help: Add a special Sudo rule for default Sudo server configuration: ipa sudorule-add defaults Set a default Sudo option: ipa sudorule-add-option defaults --sudooption '!authenticate' </blockquote> </blockquote></div> </div>