On 06/12/2013 02:37 PM, Jakub Hrozek wrote:
On Wed, Jun 12, 2013 at 11:22:35AM +0200, Matt . wrote:
Hi,
The package as you described is installed, the configlines are set as you
show it.
This is what I see in auth.log, my sssd_sudo does not show a thing:
Jun 12 11:19:16 server sudo: pam_unix(sudo:auth): authentication failure;
logname=USERNAME uid=866600006 euid=0 tty=/dev/pts/0 ruser=USERNAME rhost=
user=USERNAME
Jun 12 11:19:16 server sudo: pam_sss(sudo:auth): User info message: Your
password will expire in 89 day(s).
Jun 12 11:19:16 server sudo: pam_sss(sudo:auth): authentication success;
logname=USERNAME uid=866600006 euid=0 tty=/dev/pts/0 ruser=USERNAME rhost=
user=USERNAME
Jun 12 11:19:16 server sudo: USERNAME : user NOT in sudoers ; TTY=pts/0 ;
PWD=/ ; USER=root ; COMMAND=/bin/su
Pavel, I know you were debugging this problem on IRC, was there any
conclusion?
No. I'm waiting for our lab to come back online so I can try to
reproduce it.
Jun 12 11:19:16 server sudo: unable to execute /usr/sbin/sendmail: No such
file or directory
I really cannot figure out what to check more.
2013/6/12 Alexander Bokovoy <aboko...@redhat.com>
On Wed, 12 Jun 2013, Matt . wrote:
Hi,
A lot of people seem to have problem with Sudo and FreeIPA.
How to enable sudo is described here:
http://www.freeipa.org/images/**7/77/Freeipa30_SSSD_SUDO_**
Integration.pdf<http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf>
The problem we are facing, also discussed on IRC is that there is looked
in
the local sudoers file of the client if the loggedin user may sudo. Of
course the username is not known there.
Not sure what exactly is your problem? Could you please rephrase and
show it with logs again?
If you are using SSSD's sudo integration against IPA server, then here
is what you need to get it working on Fedora 18/19 and RHEL 6.4:
1. install libsss_sudo package
2. Add/change following line to /etc/nsswitch.conf
sudoers: files sss
3. Make sure your /etc/sssd/sssd.conf looks like this example:
http://abbra.fedorapeople.org/**.paste/sssd.conf.example<http://abbra.fedorapeople.org/.paste/sssd.conf.example>
4. Restart sssd
These are the only actions I needed to get sudo working for IPA users on
Fedora 19 and RHEL 6.4.
Please note that sudoers: files sss
gives you chance to have local users configured in local sudoers. If you
don't want them to be able to use sudo, just change the line in
/etc/nsswitch.conf to
sudoers: sss
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
