----- Original Message -----
> From: "Martin Kosek" <mko...@redhat.com>
> To: "Stephen Benjamin" <stben...@redhat.com>, "Jan Cholasta"
> Cc: d...@redhat.com, firstname.lastname@example.org, "Tomas Babej"
> Sent: Friday, April 25, 2014 10:54:13 AM
> Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
> On 04/25/2014 10:16 AM, Stephen Benjamin wrote:
> > ----- Original Message -----
> >> From: "Jan Cholasta" <jchol...@redhat.com>
> >> To: "Martin Kosek" <mko...@redhat.com>, d...@redhat.com, "Stephen
> >> Benjamin" <stben...@redhat.com>
> >> Cc: email@example.com
> >> Sent: Friday, April 25, 2014 9:44:37 AM
> >> Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
> >> AFAIK you can use ldap sudo provider with IPA, see e.g.
> >> <http://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd#Configure_SSSD>
> > I got this working, and seems to work across recent Fedora releases too.
> > This at least removes the requirement on using the old bind password
> > method. Thanks!
> > Is there a way for sssd to use _srv_ for the krb5_server line?
> > Here's an updated Kickstart snippet:
> > https://github.com/stbenjam/community-templates/blob/freeipa-fixes/snippets/freeipa_register.erb
> > If we know what the Syntax will be for sudo (or will it be default
> > in 4.0?), then I can include the logic already not to do it manually.
> > - Stephen
> Good! Few comments I saw when reading the snippet:
> For automount, you also want to use --server option and --unattended option
> (your version would freeze):
> # ipa-client-automount --server vm-086.example.com --unattended
> IPA server: vm-086.example.com
> Location: default
> Configured /etc/nsswitch.conf
> Configured /etc/sysconfig/nfs
> Configured /etc/idmapd.conf
> Started rpcidmapd
> Started rpcgssd
> Restarting sssd, waiting for it to become available.
> Started autofs
> This is example from RHEL-6.5.
> As for SUDO, did you test the setup? It seems to me you missed adding sss
> source to "sudoers" database in nsswitch.conf.
> You would also need to set NIS domain name, otherwise SUDO will not correctly
> recognize SUDO rules targeted on host groups, instead of hosts:
Ah right, the system I tested was already registered. Good catch, thanks.
> authconfig --nisdomain example.com --update
> nisdomainname example.com
> On Fedora or RHEL > 7.0, you would also need to enable systemd service to
> the NIS domain name setup persistent:
> # service rhel-domainname.service start
> # service fedora-domainname.service start
Why was it done that way? It makes it difficult to write
How will we call that on EL clones?
> # service rhel-domainname.service enable
> # service fedora-domainname.service enable
> All these sudo client changes will come from free with FreeIPA 4.0.
Freeipa-users mailing list