Thank you for the reply Alex, though I'm a little confused that I am answering the correct email. I have taken a look at the example sssd.conf you advised, and I'm a little curious if the configuration supports having multiple IPA servers? I have a multi-master setup with two servers. I tried to add both servers to the ldap uri and to the krb5 section byt the service refused to start. Also I have to note that this not being able to sudo only seems to affect physical servers, and not the virtual machines I have applied it against. Also unfortunately, this didnt work either.. I guess I will try a reboot first if I can.
sudo debug: [root@waphost IPA-configs]# su - oowolabi [oowolabi@waphost ~]$ sudo service httpd status sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_checkpeer -> 1 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: timelimit -> 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: Looking for cn=defaults: cn=defaults sudo: no default options found in ou=SUDOers,dc=qrios,dc=com sudo: ldap search '(|(sudoUser=oowolabi)(sudoUser=%oowolabi)(sudoUser=%#721800009)(sudoUser=%admins)(sudoUser=%employees)(sudoUser=%qrios)(sudoUser=%#721800000)(sudoUser=%#721800006)(sudoUser=%#721800008)(sudoUser=ALL))' sudo: searching from base 'ou=SUDOers,dc=qrios,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: ldap search '(sudoUser=+*)' sudo: searching from base 'ou=SUDOers,dc=qrios,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: sorting remaining 0 entries sudo: searching LDAP for sudoers entries sudo: done with LDAP searches sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x40 [sudo] password for oowolabi: oowolabi is not allowed to run sudo on waphost. This incident will be reported. [oowolabi@waphost ~]$ exit On Wed, Jun 12, 2013 at 10:10 AM, Alexander Bokovoy <[email protected]>wrote: > On Wed, 12 Jun 2013, Matt . wrote: > >> Hi, >> >> A lot of people seem to have problem with Sudo and FreeIPA. >> >> How to enable sudo is described here: >> >> http://www.freeipa.org/images/**7/77/Freeipa30_SSSD_SUDO_** >> Integration.pdf<http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf> >> >> The problem we are facing, also discussed on IRC is that there is looked >> in >> the local sudoers file of the client if the loggedin user may sudo. Of >> course the username is not known there. >> > Not sure what exactly is your problem? Could you please rephrase and > show it with logs again? > > If you are using SSSD's sudo integration against IPA server, then here > is what you need to get it working on Fedora 18/19 and RHEL 6.4: > > 1. install libsss_sudo package > > 2. Add/change following line to /etc/nsswitch.conf > > sudoers: files sss > > 3. Make sure your /etc/sssd/sssd.conf looks like this example: > http://abbra.fedorapeople.org/**.paste/sssd.conf.example<http://abbra.fedorapeople.org/.paste/sssd.conf.example> > 4. Restart sssd > > These are the only actions I needed to get sudo working for IPA users on > Fedora 19 and RHEL 6.4. > > Please note that sudoers: files sss > gives you chance to have local users configured in local sudoers. If you > don't want them to be able to use sudo, just change the line in > /etc/nsswitch.conf to > sudoers: sss > > > -- > / Alexander Bokovoy > > > ______________________________**_________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> > -- best regards, Sina Owolabi +2348034022578 +2348176469061
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
