On (03/12/14 06:05), sipazzo wrote:
>Good morning, I have a fairly new ipa domain (server version 3.0.0-42 and 
>clients mixed 3.0.0-37 and 3.0.0-42) set up with a mix of rhel6, rhel5 and 
>solaris. It seemed like my sudo config using sssd in rhel6.5 was working and 
>then we patched to 6.6 and it is broken. I had followed these setup 
>instructions previously:
>yum install -y libsss_sudo
>Added to /etc/nsswitch.conf
>sudoers: sss files
>Add nisdomainname:
>nisdomainname ipadomain.com
>echo "NISDOMAIN=ipadomain.com" >> /etc/sysconfig/network
>Added the following to /etc/sssd/sssd.conf (is all this really necessary?)
>sudo_provider = ldap
>ldap_uri = ldaps://ipasrv2-corp.ipadomain.com, 
>ldaps://ipasrv1-xo.ipadomain.com, ldaps://ipasrv1-io.ipadomain.com, 
>ldaps://ipasrv1-corp.ipadomain.com, ldaps://ipasrv2-xo.ipadomain.com, 
>ldap_sudo_search_base = ou=sudoers,dc=ipadomain,dc=com
>ldap_sasl_mech = GSSAPI    
>ldap_sasl_authid = host/ipaclient1.ipadomain.com  
>ldap_sasl_realm = ipadomain.COM
>krb5_server =ipasrv2-corp.ipadomain.com, ipasrv1-xo.ipadomain.com, 
>ipasrv1-io.ipadomain.com, ipasrv1-corp.ipadomain.com, 
>ipasrv2-xo.ipadomain.com, ipasrv2-io.ipadomain.com
>services =  nss, pam, sudo, ssh
>Restart sssd service
>I know that libsss_sudo is now included as part of another package and read 
>that you need sssd-common which I tried installing to no avail as well. I had 
>been told that despite the man pages on sssd I needed to specify the servers 
>in ldap_uri (and I assume krb5_server) as it would not use SRV records but am 
>not sure that is correct. 
>1) What are the steps to get sudo working with sssd on an existing, newly 
>patched (to rhel6.6) system
Configuration from rhel 6.5 shoudl work also on rhel 6.6

But rhel 6.6 can work also with sudo_provider = ipa
In this case sssd configuration is easier. You cna find details in manual page
man sssd-sudo.

>2) Are the steps any different for a new system (i.e. I read it is "seamless" 
>but I guess we still have to manually edit files?)
On rhel6.6 ipa-client-install should configure sudo unless you executed
ipa-client-install with --no-sudo

>3) Does sssd in Rhel6.6 support SRV lookup for the ldap_uri and krb5_server 
>and do we have to specify the ldap_sasl_authid with the client hostname
Yes, it does.
man sssd.ldap -> SERVICE DISCOVERY

If you use sudo_provider=ipa then you will not need to configure all ldap_*
krb5_* options on your own.


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to