----- Original Message -----
> From: "Martin Kosek" <mko...@redhat.com>
> To: "Stephen Benjamin" <stben...@redhat.com>, "Jan Cholasta" 
> <jchol...@redhat.com>
> Cc: d...@redhat.com, freeipa-users@redhat.com, "Tomas Babej" 
> <tba...@redhat.com>
> Sent: Friday, April 25, 2014 10:54:13 AM
> Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
> 
> On 04/25/2014 10:16 AM, Stephen Benjamin wrote:
> > ----- Original Message -----
> >> From: "Jan Cholasta" <jchol...@redhat.com>
> >> To: "Martin Kosek" <mko...@redhat.com>, d...@redhat.com, "Stephen
> >> Benjamin" <stben...@redhat.com>
> >> Cc: freeipa-users@redhat.com
> >> Sent: Friday, April 25, 2014 9:44:37 AM
> >> Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
> > 
> >> AFAIK you can use ldap sudo provider with IPA, see e.g.
> >> <http://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd#Configure_SSSD>
> > 
> > I got this working, and seems to work across recent Fedora releases too.
> > This at least removes the requirement on using the old bind password
> > method.  Thanks!
> > 
> > Is there a way for sssd to use _srv_ for the krb5_server line?
> > 
> > Here's an updated Kickstart snippet:
> >   
> > https://github.com/stbenjam/community-templates/blob/freeipa-fixes/snippets/freeipa_register.erb
> > 
> > If we know what the Syntax will be for sudo (or will it be default
> > in 4.0?), then I can include the logic already not to do it manually.
> > 
> > 
> > - Stephen
> > 
> 
> Good! Few comments I saw when reading the snippet:
> 
> For automount, you also want to use --server option and --unattended option
> (your version would freeze):
> 
> # ipa-client-automount --server vm-086.example.com --unattended
> IPA server: vm-086.example.com
> Location: default
> Configured /etc/nsswitch.conf
> Configured /etc/sysconfig/nfs
> Configured /etc/idmapd.conf
> Started rpcidmapd
> Started rpcgssd
> Restarting sssd, waiting for it to become available.
> Started autofs
> 
> This is example from RHEL-6.5.
> 
> As for SUDO, did you test the setup? It seems to me you missed adding sss
> source to "sudoers" database in nsswitch.conf.
>
> You would also need to set NIS domain name, otherwise SUDO will not correctly
> recognize SUDO rules targeted on host groups, instead of hosts:

Ah right, the system I tested was already registered.  Good catch, thanks.
 
> authconfig --nisdomain example.com --update
> nisdomainname example.com
> 
> On Fedora or RHEL > 7.0, you would also need to enable systemd service to
> make
> the NIS domain name setup persistent:
> 
> # service rhel-domainname.service start
> or
> # service fedora-domainname.service start

Wow.

Why was it done that way? It makes it difficult to write
cross-distro things...

How will we call that on EL clones?



> and
> 
> # service rhel-domainname.service enable
> or
> # service fedora-domainname.service enable
> 
> All these sudo client changes will come from free with FreeIPA 4.0.
> 
> Martin
> 

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to