@Dmitri - Thank you for your reply, that is actually one of the documents
I read, however there seem to be some steps missing as with the
configuration elements in place sudo doesn't work

dtaylor is not allowed to run sudo on ipa-client.  This incident will be
reported.

There is some note about configuring a password on the ldap user however
following the suggestions I found didn't actually work.


Best regards
David Taylor


-----Original Message-----
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Tuesday, 11 March 2014 10:49 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] SSS for sudoers confusion

On 03/10/2014 07:34 PM, David Taylor wrote:
> Hi all,
>             I'm in the process of testing IPA server for centralised
> authentication of our linux hosts. We run CentOS 6.5 and it's all new
> so we have no legacy issues.
>
> In the lab I've set up an IPA server with the yum install and used a
> local bind instance which all seems to be working correctly. Where the
> issues begin is with the sudoers functionality. After reading the
> manual and consulting Google sensei I found a number of resources that
> talk about setting up ldap either natively in the nsswitch.conf file
> or via sssd, I've tried a number of slightly different configurations
> on the client side with little effect. So the question is "what is the
> process for configuring an IPA system to handle sudo functionality".
>
> Any help is greatly appreciated.

http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf

>
> ----------------------nssswitch.conf----------------------------------
> ----
> #
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be #
> sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an # entry
> should stop if the search in the previous entry turned # up nothing.
> Note that if the search failed due to some other reason # (like no NIS
> server responding) then the search continues with the # next entry.
> #
> # Valid entries include:
> #
> #       nisplus                 Use NIS+ (NIS version 3)
> #       nis                     Use NIS (NIS version 2), also called YP
> #       dns                     Use DNS (Domain Name Service)
> #       files                   Use the local files
> #       db                      Use the local database (.db) files
> #       compat                  Use NIS on compat mode
> #       hesiod                  Use Hesiod for user lookups
> #       [NOTFOUND=return]       Stop searching if not found so far
> #
>
> # To use db, put the "db" in front of "files" for entries you want to
> be # looked up first in the databases # # Example:
> #passwd:    db files nisplus nis
> #shadow:    db files nisplus nis
> #group:     db files nisplus nis
>
> passwd:     files sss
> shadow:     files sss
> group:      files sss
>
> #hosts:     db files nisplus nis dns
> hosts:      files dns
>
> # Example - obey only what nisplus tells us...
> #services:   nisplus [NOTFOUND=return] files
> #networks:   nisplus [NOTFOUND=return] files
> #protocols:  nisplus [NOTFOUND=return] files
> #rpc:        nisplus [NOTFOUND=return] files
> #ethers:     nisplus [NOTFOUND=return] files
> #netmasks:   nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files sss
> sudoers:    files sss
> netgroup:   files sss
>
> publickey:  nisplus
>
> automount:  files sss
> aliases:    files nisplus
>
> ----------------------------------------------------------------------
> ----
> -----------------------------
> ---------------
> sssd.conf-------------------------------------------------------------
> ----
> -----------
> [domain/test.example.net]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> krb5_realm = TEST.EXAMPLE.NET
> krb5_server = ipa-server-1.test.example.net ipa_domain =
> test.example.net id_provider = ipa auth_provider = ipa access_provider
> = ipa ipa_hostname = ipa-server-1.test.example.net chpass_provider =
> ipa ipa_dyndns_update = True ipa_server = _srv_,
> ipa-server-1.test.example.net ldap_tls_cacert = /etc/ipa/ca.crt
> ldap_uri = ldap://ipa-server-1.test.example.net
>
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
> sudo_provider = ldap
> ldap_sudo_search_base = ou=sudoers,dc=test,dc=example,dc=net
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/ipa-client.test.example.net ldap_sasl_realm =
> TEST.EXAMPLE.NET
>
> domains = test.example.net
> [nss]
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
> ----------------------------------------------------------------------
> ----
> -------------------------------
>
> Best regards
> David Taylor
>
> David Taylor
> Head of Engineering - SpeedCast Pacific
>
>
>
> Level 1, Unit 4F
> 12 Lord St, Botany
> NSW, Australia, 2019
> Office                      +61 2 9531 7555
> Direct:               +61 2 9086 2787
> Mobile:              +61 4 3131 1146
> 24x7 Helpdesk   +61 2 9016 3222
> Web:                http://www.example.com / www.speedcast.com
>
> To strengthen our corporate identity in target markets worldwide,
> effective 18th January, we have commenced operating under the
> SpeedCast name. Read More
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to