On 06/12/2013 02:51 PM, Pavel Březina wrote:
On 06/12/2013 02:37 PM, Jakub Hrozek wrote:
On Wed, Jun 12, 2013 at 11:22:35AM +0200, Matt . wrote:
Hi,

The package as you described is installed, the configlines are set as
you
show it.

This is what I see in auth.log, my sssd_sudo does not show a thing:

Jun 12 11:19:16 server sudo: pam_unix(sudo:auth): authentication
failure;
logname=USERNAME uid=866600006 euid=0 tty=/dev/pts/0 ruser=USERNAME
rhost=
user=USERNAME
Jun 12 11:19:16 server sudo: pam_sss(sudo:auth): User info message: Your
password will expire in 89 day(s).
Jun 12 11:19:16 server sudo: pam_sss(sudo:auth): authentication success;
logname=USERNAME uid=866600006 euid=0 tty=/dev/pts/0 ruser=USERNAME
rhost=
user=USERNAME
Jun 12 11:19:16 server sudo: USERNAME : user NOT in sudoers ;
TTY=pts/0 ;
PWD=/ ; USER=root ; COMMAND=/bin/su

Pavel, I know you were debugging this problem on IRC, was there any
conclusion?


No. I'm waiting for our lab to come back online so I can try to
reproduce it.

I followed the deployment guide and everything works fine. If you still have problem, please start over and follow:
[1] for sudo-ldap-ipa
[2] for sudo-sssd-ipa

Check list:
- NIS domain has to be set to IPA domain

- hostname must be set to fqdn

- sudo-ldap configuration file on RHEL systems is located at
  # sudo -V | grep ldap.conf
  ldap.conf path: /etc/sudo-ldap.conf

- nsswitch must contain sudoers: ldap or sudoers: sss
  # cat /etc/nsswitch.conf  | grep sudoers
  sudoers: files ldap


[1] https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#example-configuring-sudo

[2] http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf


Jun 12 11:19:16 server sudo: unable to execute /usr/sbin/sendmail: No
such
file or directory

I really cannot figure out what to check more.


2013/6/12 Alexander Bokovoy <aboko...@redhat.com>

On Wed, 12 Jun 2013, Matt . wrote:

Hi,

A lot of people seem to have problem with Sudo and FreeIPA.

How to enable sudo is described here:

http://www.freeipa.org/images/**7/77/Freeipa30_SSSD_SUDO_**
Integration.pdf<http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf>


The problem we are facing, also discussed on IRC is that there is
looked
in
the local sudoers file of the client if the loggedin user may sudo. Of
course the username is not known there.

Not sure what exactly is your problem? Could you please rephrase and
show it with logs again?

If you are using SSSD's sudo integration against IPA server, then here
is what you need to get it working on Fedora 18/19 and RHEL 6.4:

1. install libsss_sudo package

2. Add/change following line to /etc/nsswitch.conf

sudoers: files sss

3. Make sure your /etc/sssd/sssd.conf looks like this example:
http://abbra.fedorapeople.org/**.paste/sssd.conf.example<http://abbra.fedorapeople.org/.paste/sssd.conf.example>

4. Restart sssd

These are the only actions I needed to get sudo working for IPA
users on
Fedora 19 and RHEL 6.4.

Please note that    sudoers: files sss
gives you chance to have local users configured in local sudoers. If
you
don't want them to be able to use sudo, just change the line in
/etc/nsswitch.conf to
    sudoers: sss


--
/ Alexander Bokovoy


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to