On 04/25/2014 10:16 AM, Stephen Benjamin wrote: > ----- Original Message ----- >> From: "Jan Cholasta" <[email protected]> >> To: "Martin Kosek" <[email protected]>, [email protected], "Stephen Benjamin" >> <[email protected]> >> Cc: [email protected] >> Sent: Friday, April 25, 2014 9:44:37 AM >> Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5 > >> AFAIK you can use ldap sudo provider with IPA, see e.g. >> <http://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd#Configure_SSSD> > > I got this working, and seems to work across recent Fedora releases too. > This at least removes the requirement on using the old bind password > method. Thanks! > > Is there a way for sssd to use _srv_ for the krb5_server line? > > Here's an updated Kickstart snippet: > > https://github.com/stbenjam/community-templates/blob/freeipa-fixes/snippets/freeipa_register.erb > > If we know what the Syntax will be for sudo (or will it be default > in 4.0?), then I can include the logic already not to do it manually. > > > - Stephen >
Good! Few comments I saw when reading the snippet: For automount, you also want to use --server option and --unattended option (your version would freeze): # ipa-client-automount --server vm-086.example.com --unattended IPA server: vm-086.example.com Location: default Configured /etc/nsswitch.conf Configured /etc/sysconfig/nfs Configured /etc/idmapd.conf Started rpcidmapd Started rpcgssd Restarting sssd, waiting for it to become available. Started autofs This is example from RHEL-6.5. As for SUDO, did you test the setup? It seems to me you missed adding sss source to "sudoers" database in nsswitch.conf. You would also need to set NIS domain name, otherwise SUDO will not correctly recognize SUDO rules targeted on host groups, instead of hosts: authconfig --nisdomain example.com --update nisdomainname example.com On Fedora or RHEL > 7.0, you would also need to enable systemd service to make the NIS domain name setup persistent: # service rhel-domainname.service start or # service fedora-domainname.service start and # service rhel-domainname.service enable or # service fedora-domainname.service enable All these sudo client changes will come from free with FreeIPA 4.0. Martin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
