I had enabled debugging of sudo but am not clear on where that debugging is going. It's not stdout, and I'm not seeing anything in /var/log/messages.
I'll try switching to SSS and see what that gets me. On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher <[email protected]>wrote: > On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman wrote: > >> I'm pretty certain there's a painfully simple solution to this that >> I'm not seeing, but my current configuration isn't picking up the >> freeipa sudoer rule that I've set. >> >> /etc/nsswitch.conf specifies: >> sudoers: files ldap >> >> /etc/nslcd.conf contains: >> >> binddn uid=sudo,cn=sysaccounts,cn=**etc,dc=wedgeofli,dc=me >> bindpw password >> >> ssl start_tls >> tls_cacertfile /etc/ipa/ca.crt >> tls_checkpeer yes >> >> bind_timelimit 5 >> timelimit 15 >> >> uri ldap://fs1.wedgeofli.me <http://fs1.wedgeofli.me> >> >> sudoers_base ou=SUDOers,dc=wedgeofli,dc=me >> >> >> The sssd_DOMAIN.log file contains this when I try to sudo: >> >> > <snip> > > The SSSD logs aren't showing anything wrong because they have nothing to > do with the execution of the SUDO rules in this situation. All the SSSD is > doing is verifying the authentication (when sudo prompts you for your > password). > > The problem with the rule is most likely happening inside SUDO itself. > When you specify 'sudoers: files, ldap' in nsswitch.conf, it's telling SUDO > to use its own internal LDAP driver to look up the rules. So you need to > check sudo logs to see what's happening (probably you will need to enable > debug logging in /etc/sudo.conf). > > Recent versions of SUDO (1.8.6 and later) have support for setting > 'sudoers: files, sss' in nsswitch.conf which DOES use SSSD (1.9.0 and > later) for lookups (and caching) of sudo rules. > -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
