Hi, I also think you will have to update to rhel 6.6 if you want to use sssd for sudo. If updating to 6.6 is not a problem, this would be least painful.
> > > The problem is that I can't get sudo rules to work. I know that the > > > ipa client software version 3.0.0 doesn't automatically set up all the > > > configuration for sssd to control sudo access, but I have set up all > > > the configuration necessary manually: > > > > > > > > > On the client, /etc/nsswitch.conf has > > > > > > > > > sudoers files sss This will work only for rhel 6.6. Add ldap between files and sss if you wouldn't be using 6.6 > > > > > > > > > /etc/sssd/sssd/conf has > > > > > > > > > [domain/default] > > > > > > > > > cache_credentials = True > > > krb5_realm = <REALM> > > > krb5_server = <ipa server>:88 > > > id_provider = ldap > > > auth_provider = ldap > > > chpass_provider = ldap > > > ldap_tls_cacertdir = /etc/openldap/cacerts > > > [domain/<domain>] Remove the ldap related lines if on 6.6. If you are not going to use 6.6, keep them, but add a bind password on ipa-server as it can't bind anonymously > > > > > > > > > cache_credentials = True > > > krb5_store_password_if_offline = True > > > ipa_domain = <domain> > > > id_provider = ipa > > > auth_provider = ipa > > > access_provider = ipa > > > chpass_provider = ipa > > > ipa_dyndns_update = True > > > ipa_server = <ipa server> > > > ldap_tls_cacert = /etc/ipa/ca.crt > > > sudo_provider = ldap This is assuming you are not using 6.6, else replace ldap with sss > > > ldap_uri = ldap://<ipa server> > > > ldap_sudo_search_base = ou=sudoers,<domain base dn> > > > ldap_sasl_mech = GSSAPI > > > ldap_sasl_authid = host/<client fqdn> > > > ldap_sasl_realm = <REALM> > > > krb5_server = <ipa server> > > > debug_level = 9 > > > [sssd] > > > services = nss, pam, ssh, sudo > > > config_file_version = 2 > > > > > > > > > domains = <domain>, default > > > debug_level = 9 > > > [nss] > > > debug_level = 9 > > > > > > > > > [pam] > > > debug_level = 9 > > > > > > > > > [sudo] > > > debug_level = 9 > > > [autofs] > > > > > > > > > I have validated the ldap sasl configuration using ldapsearch, so I'm > > > sure they are correct. > > > > > > > > > The nisdomainname command returns the domain name. > > > > > > > > > The sudo rules are: > > > # ipa sudorule-find > > > -------------------- > > > 2 Sudo Rules matched > > > -------------------- > > > Rule name: sudo-host1 > > > Enabled: TRUE > > > Command category: all > > > RunAs User category: all > > > User Groups: host1-rw > > > Host Groups: host1 > > > Sudo Option: -authenticate > > > > > > > > > Rule name: sudo-host2 > > > Enabled: TRUE > > > User Groups: host2-rw > > > Host Groups: host2 > > > Sudo Option: -authenticate > > > ---------------------------- > > > Number of entries returned 2 > > > ---------------------------- > > > > > > > > > When a user in user group host1-rw sshs to a client in host group > > > host1 and runs "sudo su -" the user gets prompted for a password even > > > though the sudo option -authenticate is set. > > > I'm not convinced that sudo is even attempting to use sssd, but I'm > > > not sure how to confirm this. I think command group all or category all may be problematic. Enable debugging to see if category all is being considered. For me, I had to adjust that, but can't recall how I went around it from memory. > > > > > > > > > I have seen some references to /etc/sudo-ldap.conf in online > > > discussions of similar issues. This file exists on my client, but > > > everything is commented out. Do I need to put the ldap client > > > configuration in /etc/sudo-ldap.conf as well as /etc/sssd/sssd.conf > > > for CentOS 6.3 clients? Yes. Uncomment the lines that are commented with a single # and customize it with your realm details plus password you created on ipa-server. At the bottom, enable debugging in case it don't work on first attempt. If you are on 6.6, disregard this file > > > > > > > > > Any ideas about how to work out what is failing? William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project