Andrew Holway wrote:
It is a bit strange that your ipa_domain and ipa_hostname are the same. I
think the domain should be just local.

I'd run klist -kt /etc/krb5.keytab to see what principals are in there.

ipa_hostname = 192-168-0-110.local
ipa_server = _srv_, 192-168-0-100.local

Hi,

I'm a little confused. They are not the same and these values were
created by the "ipa-client-install" utility.

I think there is some extra magic needed so that I get get sudo
working with ipa...The redhat docs are a little bit lacking for the
less advanced...

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html

Sure, but first we need to make sssd talk to IPA at all, which it isn't.

Like I said, it looks like your sssd configuration is wrong. You can always un-enroll and re-enroll the client in order to reset things.

rob








Thanks,
Andrew


## I see the following in my clients /var/log/messages after starting
sssd on the client.

Oct 17 17:35:46 zabbix sssd: Starting up
Oct 17 17:35:46 zabbix sssd[be[192-168-0-100.local]]: Starting up
Oct 17 17:35:46 zabbix sssd[nss]: Starting up
Oct 17 17:35:46 zabbix [sssd[ldap_child[6659]]]: Error processing
keytab file [default]: Principal [host/192-168-0-100.local@LOCAL] was
not found. Unable to create GSSAPI-encrypted LDAP connection.
Oct 17 17:35:46 zabbix sssd[sudo]: Starting up
Oct 17 17:35:46 zabbix sssd[ssh]: Starting up
Oct 17 17:35:46 zabbix sssd[pac]: Starting up
Oct 17 17:35:46 zabbix [sssd[ldap_child[6659]]]: Error writing to key
table
Oct 17 17:35:46 zabbix sssd[pam]: Starting up

## And the following when user "andrew" tries to sudo on the client.

Oct 17 17:37:10 zabbix [sssd[ldap_child[6667]]]: Error processing
keytab file [default]: Principal [host/192-168-0-100.local@LOCAL] was
not found. Unable to create GSSAPI-encrypted LDAP connection.
Oct 17 17:37:10 zabbix [sssd[ldap_child[6667]]]: Error writing to key
table

## The user and sudo rules in ipa.

[root@192-168-0-100 ~]# ipa sudorule-show add_sudo
    Rule name: add_sudo
    Enabled: TRUE
    Host category: all
    Command category: all
    RunAs User category: all
    RunAs Group category: all
    Users: andrew
[root@192-168-0-100 ~]# ipa user-show andrew
    User login: andrew
    First name: Andrew
    Last name: Holway
    Home directory: /home/andrew
    Login shell: /bin/bash
    Email address: and...@local.com
    UID: 1876600003
    GID: 1876600003
    Account disabled: False
    Password: True
    Member of groups: admins, ipausers, trust admins
    Member of Sudo rule: add_sudo
    Kerberos keys available: True
    SSH public key fingerprint:
35:08:9D:5E:F7:96:2A:FA:E4:60:76:4E:8A:12:FE:15 (ssh-dss)

## /etc/sssd/sssd.conf on the client


[domain/192-168-0-100.local]

cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = LOCAL
ipa_domain = 192-168-0-100.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = 192-168-0-110.local
chpass_provider = ipa
ipa_server = _srv_, 192-168-0-100.local
dns_discovery_domain = 192-168-0-100.local

sudo_provider = ldap
ldap_uri = ldap://192-168-0-100.local
ldap_sudo_search_base = ou=sudoers,dc=local
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/192-168-0-100.local@LOCAL
ldap_sasl_realm = local
krb5_server = 192-168-0-100.local

[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2

domains = 192-168-0-100.local
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]


## /etc/nsswitch.conf on client

#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files sss
shadow:     files sss
group:      files sss

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files
aliases:    files nisplus
sudoers: files sss

## selinux

SELinux status:                 disabled on both client and server

## /etc/krb5.conf on the client

#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
    default_realm = LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = false
    rdns = false
    ticket_lifetime = 24h
    forwardable = yes

[realms]
    LOCAL = {
      kdc = 192-168-0-100.local:88
      master_kdc = 192-168-0-100.local:88
      admin_server = 192-168-0-100.local:749
      default_domain = 192-168-0-100.local
      pkinit_anchors = FILE:/etc/ipa/ca.crt
    }

[domain_realm]
    .192-168-0-100.local = LOCAL
    192-168-0-100.local = LOCAL
    .local = LOCAL
    local = LOCAL

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to