On Tue, 11 Mar 2014, David Taylor wrote:
@Dmitri - Thank you for your reply, that is actually one of the documents
I read, however there seem to be some steps missing as with the
configuration elements in place sudo doesn't work

dtaylor is not allowed to run sudo on ipa-client.  This incident will be

There is some note about configuring a password on the ldap user however
following the suggestions I found didn't actually work.
From your original email I can see that you put sudo provider
configuration into wrong section in sssd.conf. No wonder it does not
work. Any provider configuration must be in the domain section.

In RHEL 6.5 and before you can do like I describe here:

In Fedora 20 you don't need to add anything for IPA case because sssd
will set everything up by default for IPA provider.

Did you actually read man page sssd-sudo(5)? It has exact configuration
changes you need to do.

Best regards
David Taylor

-----Original Message-----
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Tuesday, 11 March 2014 10:49 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] SSS for sudoers confusion

On 03/10/2014 07:34 PM, David Taylor wrote:
Hi all,
            I'm in the process of testing IPA server for centralised
authentication of our linux hosts. We run CentOS 6.5 and it's all new
so we have no legacy issues.

In the lab I've set up an IPA server with the yum install and used a
local bind instance which all seems to be working correctly. Where the
issues begin is with the sudoers functionality. After reading the
manual and consulting Google sensei I found a number of resources that
talk about setting up ldap either natively in the nsswitch.conf file
or via sssd, I've tried a number of slightly different configurations
on the client side with little effect. So the question is "what is the
process for configuring an IPA system to handle sudo functionality".

Any help is greatly appreciated.


# /etc/nsswitch.conf
# An example Name Service Switch config file. This file should be #
sorted with the most-used services at the beginning.
# The entry '[NOTFOUND=return]' means that the search for an # entry
should stop if the search in the previous entry turned # up nothing.
Note that if the search failed due to some other reason # (like no NIS
server responding) then the search continues with the # next entry.
# Valid entries include:
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far

# To use db, put the "db" in front of "files" for entries you want to
be # looked up first in the databases # # Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files sss
shadow:     files sss
group:      files sss

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss
sudoers:    files sss
netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:    files nisplus


cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = TEST.EXAMPLE.NET
krb5_server = ipa-server-1.test.example.net ipa_domain =
test.example.net id_provider = ipa auth_provider = ipa access_provider
= ipa ipa_hostname = ipa-server-1.test.example.net chpass_provider =
ipa ipa_dyndns_update = True ipa_server = _srv_,
ipa-server-1.test.example.net ldap_tls_cacert = /etc/ipa/ca.crt
ldap_uri = ldap://ipa-server-1.test.example.net

services = nss, pam, ssh, sudo
config_file_version = 2
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=test,dc=example,dc=net
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/ipa-client.test.example.net ldap_sasl_realm =

domains = test.example.net






Best regards
David Taylor

David Taylor
Head of Engineering - SpeedCast Pacific

Level 1, Unit 4F
12 Lord St, Botany
NSW, Australia, 2019
Office                      +61 2 9531 7555
Direct:               +61 2 9086 2787
Mobile:              +61 4 3131 1146
24x7 Helpdesk   +61 2 9016 3222
Web:                http://www.example.com / www.speedcast.com

To strengthen our corporate identity in target markets worldwide,
effective 18th January, we have commenced operating under the
SpeedCast name. Read More

Freeipa-users mailing list

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Freeipa-users mailing list

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to