On 04/25/2014 10:16 AM, Stephen Benjamin wrote:
> ----- Original Message -----
>> From: "Jan Cholasta" <jchol...@redhat.com>
>> To: "Martin Kosek" <mko...@redhat.com>, d...@redhat.com, "Stephen Benjamin" 
>> <stben...@redhat.com>
>> Cc: freeipa-users@redhat.com
>> Sent: Friday, April 25, 2014 9:44:37 AM
>> Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
>> AFAIK you can use ldap sudo provider with IPA, see e.g.
>> <http://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd#Configure_SSSD>
> I got this working, and seems to work across recent Fedora releases too.
> This at least removes the requirement on using the old bind password
> method.  Thanks!
> Is there a way for sssd to use _srv_ for the krb5_server line?
> Here's an updated Kickstart snippet:
> https://github.com/stbenjam/community-templates/blob/freeipa-fixes/snippets/freeipa_register.erb
> If we know what the Syntax will be for sudo (or will it be default
> in 4.0?), then I can include the logic already not to do it manually.
> - Stephen

Good! Few comments I saw when reading the snippet:

For automount, you also want to use --server option and --unattended option
(your version would freeze):

# ipa-client-automount --server vm-086.example.com --unattended
IPA server: vm-086.example.com
Location: default
Configured /etc/nsswitch.conf
Configured /etc/sysconfig/nfs
Configured /etc/idmapd.conf
Started rpcidmapd
Started rpcgssd
Restarting sssd, waiting for it to become available.
Started autofs

This is example from RHEL-6.5.

As for SUDO, did you test the setup? It seems to me you missed adding sss
source to "sudoers" database in nsswitch.conf.

You would also need to set NIS domain name, otherwise SUDO will not correctly
recognize SUDO rules targeted on host groups, instead of hosts:

authconfig --nisdomain example.com --update
nisdomainname example.com

On Fedora or RHEL > 7.0, you would also need to enable systemd service to make
the NIS domain name setup persistent:

# service rhel-domainname.service start
# service fedora-domainname.service start


# service rhel-domainname.service enable
# service fedora-domainname.service enable

All these sudo client changes will come from free with FreeIPA 4.0.


Freeipa-users mailing list

Reply via email to