Have you installed libsss_sudo? Try to follow the instruction here: https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html and http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
2014-04-08 22:17 GMT+03:00 Mark Gardner <malek...@gmail.com>: > I know I'm missing something simple. But I just can't get this ipa client > to accept any sudo rules. > > -sh-4.1$ sudo -l > [sudo] password for test...@domain.com: > User test...@domain.com is not allowed to run sudo on cypress. > -sh-4.1$ id > uid=11659(test...@domain.com) gid=11659(test...@domain.com) > groups=11659(testadm@domain. > com),160400007(ad_klasadm) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > -sh-4.1$ kinit admin > Password for ad...@hosted.domain.com: > -sh-4.1$ ipa sudorule-show operations > Rule name: operations > Description: KLAS / System Admins > Enabled: TRUE > Command category: all > Users: localadm > User Groups: ad_operations, ad_operations_external, ad_klasadm, > ad_klasadm_external > > /var/log/sssd/sssd_sudo.log > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting rules for [testadm] from [DOMAIN.COM] > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requestinginfo about [test...@domain.com] > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [test...@domain.com] > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > Retrieving rules for [test...@domain.com] from [DOMAIN.COM] > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > test...@domain.com > )(sudoUser=#11659)(sudoUser=%ad_klasadm)(sudoUser=+*))(&(dataExpireTimestamp<=1396984126)))] > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=test...@domain.com > )(sudoUser=#11659)(sudoUser=%ad_klasadm)(sudoUser=+*)))] > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 1 rules for [test...@domain.com] > (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [client_recv] (0x0200): Client > disconnected! > > > [root@cypress etc]# cat nsswitch.conf > # > # /etc/nsswitch.conf > # > # An example Name Service Switch config file. This file should be > # sorted with the most-used services at the beginning. > # > # The entry '[NOTFOUND=return]' means that the search for an > # entry should stop if the search in the previous entry turned > # up nothing. Note that if the search failed due to some other reason > # (like no NIS server responding) then the search continues with the > # next entry. > # > # Valid entries include: > # > # nisplus Use NIS+ (NIS version 3) > # nis Use NIS (NIS version 2), also called YP > # dns Use DNS (Domain Name Service) > # files Use the local files > # db Use the local database (.db) files > # compat Use NIS on compat mode > # hesiod Use Hesiod for user lookups > # [NOTFOUND=return] Stop searching if not found so far > # > > # To use db, put the "db" in front of "files" for entries you want to be > # looked up first in the databases > # > # Example: > #passwd: db files nisplus nis > #shadow: db files nisplus nis > #group: db files nisplus nis > > passwd: files sss > shadow: files sss > group: files sss > sudoers: files sss > > #hosts: db files nisplus nis dns > hosts: files dns > > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc: nisplus [NOTFOUND=return] files > #ethers: nisplus [NOTFOUND=return] files > #netmasks: nisplus [NOTFOUND=return] files > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files sss > > netgroup: files sss > > publickey: nisplus > > automount: files > aliases: files nisplus > > [root@cypress etc]# cd sssd > [root@cypress sssd]# ls > sssd.conf sssd.conf.deleted sssd.conf.sv > [root@cypress sssd]# cat sssd.conf > [domain/hosted.domain.com] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = hosted.domain.com > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = cypress.hosted.domain.com > chpass_provider = ipa > ipa_dyndns_update = True > ipa_server = _srv_, ipa.hosted.domain.com > ldap_tls_cacert = /etc/ipa/ca.crt > debug_level=6 > > # > # sudo integration > # > sudo_provider = ldap > ldap_uri = ldap://ipa.hosted.domain.com > ldap_sudo_search_base = ou=sudoers,dc=hosted,dc=domain,dc=com > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/cypress.hosted.domain.com > ldap_sasl_realm = HOSTED.DOMAIN.COM > krb5_server = ipa.hosted.domain.com > > > [sssd] > services = nss, pam, ssh, pac, sudo > config_file_version = 2 > domains = hosted.domain.com > debug_level=6 > > [nss] > > > [pam] > > > [sudo] > debug_level=6 > > [autofs] > > [ssh] > > > [pac] > > [root@cypress sssd]# > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users