On (21/03/14 09:32), Arthur Faizullin wrote:
>Will it be represented in documentation&wiki? :)
>
It is written in manual pages:
man sssd-sudo
-> CONFIGURING SUDO TO COOPERATE WITH SSSD
-> CONFIGURING SSSD TO FETCH SUDO RULES
Any contribution is welcomed.
If you want to upgrade documentation or wiki you can do it.
http://www.freeipa.org/page/Contribute#How_Can_I_Help.3F
LS
>25.02.2014 18:33, Jakub Hrozek пишет:
>> On Tue, Feb 25, 2014 at 10:28:19AM +0100, Stanislav Zidek wrote:
>>>> Date: Fri, 17 Jan 2014 09:46:08 -0500
>>>> From: Dmitri Pal <d...@redhat.com>
>>>> To: freeipa-users@redhat.com
>>>> Subject: Re: [Freeipa-users] SSSD Failover does not work
>>>> Message-ID: <52d94230.6080...@redhat.com>
>>>> Content-Type: text/plain; charset=ISO-8859-1
>>>>
>>>> You would need to up the debug_level to 6 on SSSD, restart it, then
>>>> simulate the situation and provide sanitized logs and sssd configuration
>>>> file.
>>> Hi and sorry for late reply, I've been ill and then lots of work waited
>>> for me ;)
>>>
>>> I tried to further debug the issue and I was able to make it work by
>>> adding the second ipa server also to directives ldap_uri and krb5_server
>>> (it was probably my mistake to put it only to ipa_server) - of course in
>>> /etc/sssd/sssd.conf
>>>
>>> Here is my working /etc/sssd/sssd.conf in case anyone finds it useful
>>> (or someone has a comment - feel free to tell me how to make things better):
>>>
>>> [domain/kajot.cz]
>>>
>>> cache_credentials = True
>>> krb5_store_password_if_offline = True
>>> ipa_domain = kajot.cz
>>> id_provider = ipa
>>> auth_provider = ipa
>>> access_provider = ipa
>>> ldap_tls_cacert = /etc/ipa/ca.crt
>>> ipa_hostname = <<<SERVER NAME>>>
>>> chpass_provider = ipa
>>> ipa_server = id1.kajot.cz, id2.kajot.cz
>>>
>>> # For the SUDO integration
>>> sudo_provider = ldap
>>> ldap_uri = ldap://id1.kajot.cz, ldap://id2.kajot.cz
>>> ldap_sudo_search_base = ou=sudoers,dc=kajot,dc=cz
>>> ldap_sasl_mech = GSSAPI
>>> ldap_sasl_authid = host/redmine.kajot.cz
>>> ldap_sasl_realm = KAJOT.CZ
>>> krb5_server = id1.kajot.cz, id2.kajot.cz
>>>
>>>
>>> ldap_sudo_smart_refresh_interval = 120
>>> ldap_sudo_full_refresh_interval = 300
>>>
>>> [sssd]
>>> services = nss, pam, ssh, sudo
>>> config_file_version = 2
>>>
>>> domains = kajot.cz
>>>
>>> [nss]
>>>
>>> [pam]
>>>
>>> [sudo]
>>>
>>> [autofs]
>>>
>>> [ssh]
>>>
>>> [pac]
>>>
>>>
>>> P.S. I hope it gets posted to the right place, Thunderbird and digest
>>> mode is probably not very good combination.. If it goes wrong, sorry in
>>> advance.
>>>
>>> S.
>>>
>> Ah, I didn't realize you were mixing several provider types. It's the
>> right thing to do for sudo intergration with RHEL-6, unfortunately.
>>
>> In 6.6 there will be (and there already is in 7.0 and upstream 1.9.6 and
>> later) a native sudo_provider=ipa so you'll be able to streamline your
>> configuration even more.
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users@redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
