On (25/11/14 19:39), William Muriithi wrote: >Implications of adding above is that SUDO would break if the >> hardcoded ipa is not available even if there is another replica somewhere >> in the network. Is that correct assumption? >> >> Is there a better way of doing it that I have missed? >> > >Which version of sssd do you have? >sssd >= 1.10 has native ipa suod providers and you don't need to use >"sudo_provider = ldap". > >---------------------------- > >Sorry, responding from blackberry which don't seen to indent the question I am >responding to. > >This is sssd version I am using. Certainly newer than 1.10. Do you mind >pointing me to the recommended way of handling SUDO now? > > > >sssd-common-1.11.2-68.el7_0.6.x86_64 >sssd-ipa-1.11.2-68.el7_0.6.x86_64 >sssd-1.11.2-68.el7_0.6.x86_64 >sssd-client-1.11.2-68.el7_0.6.x86_64 >sssd-ad-1.11.2-68.el7_0.6.x86_64 >sssd-proxy-1.11.2-68.el7_0.6.x86_64 >python-sssdconfig-1.11.2-68.el7_0.6.noarch >sssd-common-pac-1.11.2-68.el7_0.6.x86_64 >sssd-krb5-1.11.2-68.el7_0.6.x86_64 >sssd-krb5-common-1.11.2-68.el7_0.6.x86_64 >sssd-ldap-1.11.2-68.el7_0.6.x86_64 > > If you call ipa-client-install then sssd.conf needn't be changed. You just need to configure nsswitch.conf. It shoudl contain "sudoers: files sss". NIS domain name should be set corectly as well.
Detail description is in manual page: "man sssd-sudo" LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
