Good morning, I have a fairly new ipa domain (server version 3.0.0-42 and 
clients mixed 3.0.0-37 and 3.0.0-42) set up with a mix of rhel6, rhel5 and 
solaris. It seemed like my sudo config using sssd in rhel6.5 was working and 
then we patched to 6.6 and it is broken. I had followed these setup 
instructions previously:

yum install -y libsss_sudo

Added to /etc/nsswitch.conf

sudoers: sss files

Add nisdomainname:

echo "" >> /etc/sysconfig/network

Added the following to /etc/sssd/sssd.conf (is all this really necessary?)


sudo_provider = ldap
ldap_uri = ldaps://, 
ldaps://, ldaps://, 
ldaps://, ldaps://, 
ldap_sudo_search_base = ou=sudoers,dc=ipadomain,dc=com
ldap_sasl_mech = GSSAPI    
ldap_sasl_authid = host/  
ldap_sasl_realm = ipadomain.COM

services =  nss, pam, sudo, ssh


Restart sssd service

I know that libsss_sudo is now included as part of another package and read 
that you need sssd-common which I tried installing to no avail as well. I had 
been told that despite the man pages on sssd I needed to specify the servers in 
ldap_uri (and I assume krb5_server) as it would not use SRV records but am not 
sure that is correct. 

1) What are the steps to get sudo working with sssd on an existing, newly 
patched (to rhel6.6) system
2) Are the steps any different for a new system (i.e. I read it is "seamless" 
but I guess we still have to manually edit files?)
3) Does sssd in Rhel6.6 support SRV lookup for the ldap_uri and krb5_server and 
do we have to specify the ldap_sasl_authid with the client hostname

Thank you for any assistance.

Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to