As Bob pointed out in a direct e-mail to me, there was the detail of adding sudo and sss to /etc/nsswitch.conf but – once I did so, it pointed out that the Rackspace RHEL packaging that doesn’t provide what I need – possibly need from epel.
# yum search /usr/lib64/libsss_sudo.so Loaded plugins: rhnplugin, security This system is receiving updates from RHN Classic or RHN Satellite. rackspace | 1.3 kB 00:00 rackspace-rhel-x86_64-server-6.5.z-common | 871 B 00:00 rackspace-rhel-x86_64-server-6.5.z-ius | 871 B 00:00 rhel-x86_64-server-6.5.z | 1.5 kB 00:00 rhel-x86_64-server-optional-6.5.z | 1.5 kB 00:00 rhn-tools-rhel-x86_64-server-6.5.z | 1.3 kB 00:00 vmware-tools | 951 B 00:00 Warning: No matches found for: /usr/lib64/libsss_sudo.so No Matches found Blockage identified, solution being searched Craig White System Administrator O 623-201-8179 M 602-377-9752 [cid:image001.png@01CF86FE.42D51630] SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 From: t...@tetrioncapital.com [mailto:t...@tetrioncapital.com] Sent: Wednesday, November 05, 2014 6:11 PM To: Craig White; freeipa-users@redhat.com Subject: Re: [Freeipa-users] unable to sudo Hi, Did you config HBAC to allow sudo, then in sudo rules, allow your sudo command, next would be adding HBAC rules to user group? Sent from my BlackBerry 10 smartphone. From: Craig White Sent: Thursday, 6 November, 2014 6:11 AM To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: [Freeipa-users] unable to sudo First 10 ipa clients I set up – no problem. Set up 2 more, perhaps this is a problem with the fact that these 2 hosts were on a totally new VLAN and the firewall rules weren’t correct when I set them up. Been through the part on sudo here… http://www.freeipa.org/page/Troubleshooting nisdomainname is correct on the machines and also in /etc/sysconfig/network had to add ‘sudo’ to [sssd] services = nss, sudo, pam, ssh and restarted sssd though I don’t know why it wasn’t added automatically checked nsswitch.conf and netgroup is set to ‘files sss’ getent netgroup hgroup1 returns nothing on machines where sudo works and doesn’t work – can’t tell the difference. Added ‘sudoers_debug 2’ to /etc/sudo_ldap.conf but don’t know where that logs And finally, on a machine where ipa users cannot sudo… # sudo -l Matching Defaults entries for root on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User root may run the following commands on this host: (ALL) ALL $ sudo -l [sudo] password for craig.white: Sorry, user craig.white may not run sudo on 599330-stash001. Craig White System Administrator O 623-201-8179 M 602-377-9752 [cid:image001.png@01CF86FE.42D51630] SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project