On 04/08/2015 09:04 PM, Martin Chamambo wrote:
I managed to install my ipa client on centos 5 using this command below

  ipa-client-install --server cyclops.ai.co.zw --domain ai.co.zw

and it worked perfectly , i can getent passwd xxxx for users in the freeIPA 
server which is good.

I am now trying to configure SUDO on centos and there seem to be mixed views on 
how i can get it working but i have actually embraced the following

Use SSSD, don't use nslcd or anything that has pam_ldap or ldapd in the name

and here are my configs

cat /etc/nsswitch

sudoers:  files sss

cat /etc/sssd/sssd.conf

[root@pinnochio ~]# cat /etc/sssd/sssd.conf
config_file_version = 2
services = nss, pam

domains = ai.co.zw



cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ai.co.zw
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, cyclops.ai.co.zw
ldap_tls_cacert = /etc/ipa/ca.crt

wanted to add sudo services and ssh services on the Line services = nss, pam 
and kept getting error

(Thu Apr  9 02:04:35 2015) [sssd] [get_monitor_config] (0): Invalid service sudo
(Thu Apr  9 02:04:36 2015) [sssd] [get_monitor_config] (0): Invalid service sudo
(Thu Apr  9 02:08:27 2015) [sssd] [get_monitor_config] (0): Invalid service sudo
(Thu Apr  9 02:08:59 2015) [sssd] [get_monitor_config] (0): Invalid service sudo
(Thu Apr  9 02:09:35 2015) [sssd] [get_monitor_config] (0): Invalid service sudo
(Thu Apr  9 02:10:05 2015) [sssd] [get_monitor_config] (0): Invalid service ssh

i guess there is a different way of configuring SUDO on RHEL 5 or centos 5

The sudo and ssh support was added later than the version of SSSD that runs on CentOS5.
Also the version of the sudo on 5 does not have integration with SSSD yet.
The recommended approach is to configure sudo using its own LDAP capabilities as documented in the sudo manuals and man pages for that version.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to