Ok here is the info that finally made it all work https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html
I seem to have had all the elements in there already so I suspect it was a statement order issue Best regards David Taylor -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dmitri Pal Sent: Tuesday, 11 March 2014 10:49 AM To: [email protected] Subject: Re: [Freeipa-users] SSS for sudoers confusion On 03/10/2014 07:34 PM, David Taylor wrote: > Hi all, > I'm in the process of testing IPA server for centralised > authentication of our linux hosts. We run CentOS 6.5 and it's all new > so we have no legacy issues. > > In the lab I've set up an IPA server with the yum install and used a > local bind instance which all seems to be working correctly. Where the > issues begin is with the sudoers functionality. After reading the > manual and consulting Google sensei I found a number of resources that > talk about setting up ldap either natively in the nsswitch.conf file > or via sssd, I've tried a number of slightly different configurations > on the client side with little effect. So the question is "what is the > process for configuring an IPA system to handle sudo functionality". > > Any help is greatly appreciated. http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf > > ----------------------nssswitch.conf---------------------------------- > ---- > # > # /etc/nsswitch.conf > # > # An example Name Service Switch config file. This file should be # > sorted with the most-used services at the beginning. > # > # The entry '[NOTFOUND=return]' means that the search for an # entry > should stop if the search in the previous entry turned # up nothing. > Note that if the search failed due to some other reason # (like no NIS > server responding) then the search continues with the # next entry. > # > # Valid entries include: > # > # nisplus Use NIS+ (NIS version 3) > # nis Use NIS (NIS version 2), also called YP > # dns Use DNS (Domain Name Service) > # files Use the local files > # db Use the local database (.db) files > # compat Use NIS on compat mode > # hesiod Use Hesiod for user lookups > # [NOTFOUND=return] Stop searching if not found so far > # > > # To use db, put the "db" in front of "files" for entries you want to > be # looked up first in the databases # # Example: > #passwd: db files nisplus nis > #shadow: db files nisplus nis > #group: db files nisplus nis > > passwd: files sss > shadow: files sss > group: files sss > > #hosts: db files nisplus nis dns > hosts: files dns > > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc: nisplus [NOTFOUND=return] files > #ethers: nisplus [NOTFOUND=return] files > #netmasks: nisplus [NOTFOUND=return] files > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files sss > sudoers: files sss > netgroup: files sss > > publickey: nisplus > > automount: files sss > aliases: files nisplus > > ---------------------------------------------------------------------- > ---- > ----------------------------- > --------------- > sssd.conf------------------------------------------------------------- > ---- > ----------- > [domain/test.example.net] > > cache_credentials = True > krb5_store_password_if_offline = True > krb5_realm = TEST.EXAMPLE.NET > krb5_server = ipa-server-1.test.example.net ipa_domain = > test.example.net id_provider = ipa auth_provider = ipa access_provider > = ipa ipa_hostname = ipa-server-1.test.example.net chpass_provider = > ipa ipa_dyndns_update = True ipa_server = _srv_, > ipa-server-1.test.example.net ldap_tls_cacert = /etc/ipa/ca.crt > ldap_uri = ldap://ipa-server-1.test.example.net > > [sssd] > services = nss, pam, ssh, sudo > config_file_version = 2 > sudo_provider = ldap > ldap_sudo_search_base = ou=sudoers,dc=test,dc=example,dc=net > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/ipa-client.test.example.net ldap_sasl_realm = > TEST.EXAMPLE.NET > > domains = test.example.net > [nss] > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > ---------------------------------------------------------------------- > ---- > ------------------------------- > > Best regards > David Taylor > > David Taylor > Head of Engineering - SpeedCast Pacific > > > > Level 1, Unit 4F > 12 Lord St, Botany > NSW, Australia, 2019 > Office +61 2 9531 7555 > Direct: +61 2 9086 2787 > Mobile: +61 4 3131 1146 > 24x7 Helpdesk +61 2 9016 3222 > Web: http://www.example.com / www.speedcast.com > > To strengthen our corporate identity in target markets worldwide, > effective 18th January, we have commenced operating under the > SpeedCast name. Read More > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
