I had enabled debugging of sudo but am not clear on where that debugging is
going. It's not stdout, and I'm not seeing anything in /var/log/messages.

I'll try switching to SSS and see what that gets me.


On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher <sgall...@redhat.com>wrote:

> On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman wrote:
>
>> I'm pretty certain there's a painfully simple solution to this that
>> I'm not seeing, but my current configuration isn't picking up the
>> freeipa sudoer rule that I've set.
>>
>> /etc/nsswitch.conf specifies:
>>  sudoers:    files ldap
>>
>> /etc/nslcd.conf contains:
>>
>> binddn uid=sudo,cn=sysaccounts,cn=**etc,dc=wedgeofli,dc=me
>> bindpw password
>>
>> ssl start_tls
>> tls_cacertfile /etc/ipa/ca.crt
>> tls_checkpeer yes
>>
>> bind_timelimit 5
>> timelimit 15
>>
>> uri ldap://fs1.wedgeofli.me <http://fs1.wedgeofli.me>
>>
>> sudoers_base ou=SUDOers,dc=wedgeofli,dc=me
>>
>>
>> The sssd_DOMAIN.log file contains this when I try to sudo:
>>
>>
> <snip>
>
> The SSSD logs aren't showing anything wrong because they have nothing to
> do with the execution of the SUDO rules in this situation. All the SSSD is
> doing is verifying the authentication (when sudo prompts you for your
> password).
>
> The problem with the rule is most likely happening inside SUDO itself.
> When you specify 'sudoers: files, ldap' in nsswitch.conf, it's telling SUDO
> to use its own internal LDAP driver to look up the rules. So you need to
> check sudo logs to see what's happening (probably you will need to enable
> debug logging in /etc/sudo.conf).
>
> Recent versions of SUDO (1.8.6 and later) have support for setting
> 'sudoers: files, sss' in nsswitch.conf which DOES use SSSD (1.9.0 and
> later) for lookups (and caching) of sudo rules.
>



-- 
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman




-- 
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to