Thanks for your time. Man pages were the first, but it's not working just
base on that. Find out  that libsss_sudo is desperately needed and it's not
required by ipa-client rpm. So now I only need to check sudo policy in IPA,
as there is obviously some issue, but connection is working.

yum install ipa-client libsss_sudo
ipa-client-install ...
/etc/sssd/sssd.conf (ldap setup based on man)
/etc/nsswitch.conf  (sss provider for sudoers based on man)

and result:

[vaclav.adamec@ipa-client~]$ groups
vaclav.adamec admins

[vaclav.adamec@ipa-client ~]$ sudo -l
vaclav.adamec is not allowed to run sudo on ipa-client.  This incident will
be reported.

(Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [vaclav.adamec] from [<ALL>]
(Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [vaclav.adamec@test]
(Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [vaclav.adamec@test]
(Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [vaclav.adamec] from [test]
(Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
(Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
to get sudo rules from cache
(Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
(Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 1 rules for [vaclav.adamec@test]

but ldap search:

 ldapsearch -x -h localhost -p 389 -b ou=sudoers,dc=test

# sudoers, test
dn: ou=sudoers,dc=test
objectClass: extensibleObject
ou: sudoers

# Admins_can_do_anything, sudoers, test <>
dn: cn=Admins_can_run_whomai_as_root,ou=sudoers,dc=test
sudoUser: %admins
sudoHost: +all
objectClass: sudoRole
objectClass: top
sudoRunAsUser: root
sudoCommand: /usr/bin/whoami
cn: Admins_can_run_whomai_as_root

# search result
search: 2
result: 0 Success

On Fri, Oct 17, 2014 at 8:39 AM, Alexander Bokovoy <>

> On Fri, 17 Oct 2014, Vaclav Adamec wrote:
>> Mixture of bot method is result of testing, just registration via
>> ipa-client (maybe CentOS 6 has only ipa-client-3.0.0-37 ?) definitely not
>> setup anything about sudo. I'll try to build 4.0.3 client for CentOS 6,
>> but
>> right now:
> Installing 4.x (client or server) is not supported on CentOS 6.x. You
> can use whatever IPA version is available there (3.0).It will not
> automatically configure sudo for you, there you have to follow what
> sssd-sudo(5) tells you to do.
> My primary point was that we have this documentation available on every
> machine where SSSD is in use, no need to search over internet.
> P.S. Please reply to the list, not personally.
> --
> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to