Good morning, I have a fairly new ipa domain (server version 3.0.0-42 and 
clients mixed 3.0.0-37 and 3.0.0-42) set up with a mix of rhel6, rhel5 and 
solaris. It seemed like my sudo config using sssd in rhel6.5 was working and 
then we patched to 6.6 and it is broken. I had followed these setup 
instructions previously:

yum install -y libsss_sudo

Added to /etc/nsswitch.conf

sudoers: sss files

Add nisdomainname:

nisdomainname ipadomain.com
echo "NISDOMAIN=ipadomain.com" >> /etc/sysconfig/network

Added the following to /etc/sssd/sssd.conf (is all this really necessary?)

[domain/ipadomain.com]
……….

sudo_provider = ldap
ldap_uri = ldaps://ipasrv2-corp.ipadomain.com, 
ldaps://ipasrv1-xo.ipadomain.com, ldaps://ipasrv1-io.ipadomain.com, 
ldaps://ipasrv1-corp.ipadomain.com, ldaps://ipasrv2-xo.ipadomain.com, 
ldaps://ipasrv2-io.ipadomain.com
ldap_sudo_search_base = ou=sudoers,dc=ipadomain,dc=com
ldap_sasl_mech = GSSAPI    
ldap_sasl_authid = host/ipaclient1.ipadomain.com  
ldap_sasl_realm = ipadomain.COM
krb5_server =ipasrv2-corp.ipadomain.com, ipasrv1-xo.ipadomain.com, 
ipasrv1-io.ipadomain.com, ipasrv1-corp.ipadomain.com, ipasrv2-xo.ipadomain.com, 
ipasrv2-io.ipadomain.com

[sssd]
services =  nss, pam, sudo, ssh

[sudo]


Restart sssd service

I know that libsss_sudo is now included as part of another package and read 
that you need sssd-common which I tried installing to no avail as well. I had 
been told that despite the man pages on sssd I needed to specify the servers in 
ldap_uri (and I assume krb5_server) as it would not use SRV records but am not 
sure that is correct. 

Questions:
1) What are the steps to get sudo working with sssd on an existing, newly 
patched (to rhel6.6) system
2) Are the steps any different for a new system (i.e. I read it is "seamless" 
but I guess we still have to manually edit files?)
3) Does sssd in Rhel6.6 support SRV lookup for the ldap_uri and krb5_server and 
do we have to specify the ldap_sasl_authid with the client hostname

Thank you for any assistance.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to