For sssd to pull sudo rules for external (local) users you will have to add a 
proxy domain into the /etc/sssd/sssd.conf, so sssd will know to go out to the 
ipa servers for the external sudo rules.  While this works it is still 
recommended to use local sudoers for local users.

1) Add proxy domain to /etc/sssd/sssd.conf.

[domain/proxy]   <----------------------- Define this section(proxy domain)
id_provider = proxy
proxy_lib_name = files
proxy_pam_target = system-auth-ac
sudo_provider = ldap   <----------------- This could be 'ipa' as well
ldap_uri = ldaps://rhel7-ipa-2.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_tls_cacert = /etc/ipa/ca.crt

2) Add domain to "domains" line in the [sssd] section

domains = example.com, proxy <------- Add a 'proxy' domain here

3) restart sssd.  

I used this article to setup mine.  https://access.redhat.com/solutions/2347541
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to