On Mon, 25 Aug 2014, Martin Kosek wrote:
On 08/25/2014 12:51 PM, Megan . wrote:
Good Morning,

I'm very new to freeIPA.

Welcome on board!

I'm running centOS 6.5 with freeIPA v3

I have the freeIPA server up but i'm working on getting SUDO
configured.  Currently i'm having problems getting sudo commands to
work on the client.  I'm a bit unclear if i have everything configured
correctly.  The only thing that I can figure out might be an issue, is
when i try the sudo command i see a filter search with
objectclass=sudoRule but when i check the ldap server it has
objectclass=sudoRole, so there are no results.

According to

the objectclass in the schema should really read "sudoRole" (I know, may be

Any ideas?  Thank you in advance for any advice.

Where do you see the filter?

[tuser2@map1 ~]$ sudo /sbin/iptables -L
Enter RSA PIN+token:
tuser2 is not allowed to run sudo on map1.  This incident will be reported.


yum installed libsss_sudo

I added "nisdomainname dir1.server.example.com" to /etc/rc.d/rc.local

**still not sure what this is for **

This is for setting the NIS domain permanently. sudo uses NIS domains when it
uses sudo rules with host groups instead of individual host names.

Created a sudo user on ldap server
ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D "cn=Directory
Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com

[root@map1 sssd]# cat /etc/nsswitch.conf
passwd:     files sss
shadow:     files sss
group:      files sss
sudoers:    files sss
sudoers_debug: 1
#sudoers:    files
hosts:      files dns
bootparams: files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss
netgroup:   files sss
publickey:  files
automount:  files ldap
aliases:    files
[root@map1 sssd]#

[root@map1 sssd]# cat sssd.conf

debug_level = 5
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = server.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = map1.server.example.com
chpass_provider = ipa
ipa_server = _srv_, dir1.server.example.com
ldap_netgroup_search_base = cn=ng,cn=compat,dc=server,dc=example,dc=com
ldap_tls_cacert = /etc/ipa/ca.crt

sudo_provider = ldap
ldap_uri = ldap://dir1.server.example.com
ldap_sudo_search_base = ou=sudoers,dc=server,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/dir1.server.example.com
ldap_sasl_realm = server.example.com
krb5_server = dir1.server.example.com

services = nss, pam, ssh, sudo
config_file_version = 2

domains = server.example.com






from the sssd_sudo.log

(Mon Aug 25 10:36:31 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
(Mon Aug 25 10:36:31 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
(Mon Aug 25 10:36:33 2014) [sssd[sudo]] [client_recv] (0x0200): Client

I do not understand why it searches with "sudorule" objectclass. According to
sssd-ldap man page, ldap_sudorule_object_class should default to "sudoRole".
Jakub or Pavel, any idea?
It is a search against SSSD's local cache where the object class is
sudoRule. A correct entry for searching against LDAP server should be in the 

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to