On (21/03/14 09:32), Arthur Faizullin wrote: >Will it be represented in documentation&wiki? :) > It is written in manual pages: man sssd-sudo -> CONFIGURING SUDO TO COOPERATE WITH SSSD -> CONFIGURING SSSD TO FETCH SUDO RULES
Any contribution is welcomed. If you want to upgrade documentation or wiki you can do it. http://www.freeipa.org/page/Contribute#How_Can_I_Help.3F LS >25.02.2014 18:33, Jakub Hrozek пишет: >> On Tue, Feb 25, 2014 at 10:28:19AM +0100, Stanislav Zidek wrote: >>>> Date: Fri, 17 Jan 2014 09:46:08 -0500 >>>> From: Dmitri Pal <d...@redhat.com> >>>> To: freeipa-users@redhat.com >>>> Subject: Re: [Freeipa-users] SSSD Failover does not work >>>> Message-ID: <52d94230.6080...@redhat.com> >>>> Content-Type: text/plain; charset=ISO-8859-1 >>>> >>>> You would need to up the debug_level to 6 on SSSD, restart it, then >>>> simulate the situation and provide sanitized logs and sssd configuration >>>> file. >>> Hi and sorry for late reply, I've been ill and then lots of work waited >>> for me ;) >>> >>> I tried to further debug the issue and I was able to make it work by >>> adding the second ipa server also to directives ldap_uri and krb5_server >>> (it was probably my mistake to put it only to ipa_server) - of course in >>> /etc/sssd/sssd.conf >>> >>> Here is my working /etc/sssd/sssd.conf in case anyone finds it useful >>> (or someone has a comment - feel free to tell me how to make things better): >>> >>> [domain/kajot.cz] >>> >>> cache_credentials = True >>> krb5_store_password_if_offline = True >>> ipa_domain = kajot.cz >>> id_provider = ipa >>> auth_provider = ipa >>> access_provider = ipa >>> ldap_tls_cacert = /etc/ipa/ca.crt >>> ipa_hostname = <<<SERVER NAME>>> >>> chpass_provider = ipa >>> ipa_server = id1.kajot.cz, id2.kajot.cz >>> >>> # For the SUDO integration >>> sudo_provider = ldap >>> ldap_uri = ldap://id1.kajot.cz, ldap://id2.kajot.cz >>> ldap_sudo_search_base = ou=sudoers,dc=kajot,dc=cz >>> ldap_sasl_mech = GSSAPI >>> ldap_sasl_authid = host/redmine.kajot.cz >>> ldap_sasl_realm = KAJOT.CZ >>> krb5_server = id1.kajot.cz, id2.kajot.cz >>> >>> >>> ldap_sudo_smart_refresh_interval = 120 >>> ldap_sudo_full_refresh_interval = 300 >>> >>> [sssd] >>> services = nss, pam, ssh, sudo >>> config_file_version = 2 >>> >>> domains = kajot.cz >>> >>> [nss] >>> >>> [pam] >>> >>> [sudo] >>> >>> [autofs] >>> >>> [ssh] >>> >>> [pac] >>> >>> >>> P.S. I hope it gets posted to the right place, Thunderbird and digest >>> mode is probably not very good combination.. If it goes wrong, sorry in >>> advance. >>> >>> S. >>> >> Ah, I didn't realize you were mixing several provider types. It's the >> right thing to do for sudo intergration with RHEL-6, unfortunately. >> >> In 6.6 there will be (and there already is in 7.0 and upstream 1.9.6 and >> later) a native sudo_provider=ipa so you'll be able to streamline your >> configuration even more. >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > >_______________________________________________ >Freeipa-users mailing list >Freeipa-users@redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users