Based on (How to troubleshoot Sudo)

- Maybe i miss spoke when i said it fails completely. Rather it keeps
asking for the users password which it does not accept.
- I do not have sudo in sssd.conf
- I do not have sudoers: sss defined in nsswitch.conf
- Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if
these needs to be defined
- If this is the case then adding them might resolve my issues.
- for the special sudo rule(s). is there any way to track it via the gui? I
am trying to keep track of all the configs so its not a blackhole for the
next person.

- This is what it looks like on the web gui
[image: Inline image 1]

- This is what a clients sssd.conf looks like

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = pp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = xxxxxx
chpass_provider = ipa
ipa_server = _srv_, xxxxx
ldap_tls_cacert = /etc/ipa/ca.crt
services = nss, pam, ssh
config_file_version = 2

domains = XXXXX
homedir_substring = /home


On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek <> wrote:

> > On 24 Mar 2016, at 17:21, Ash Alam <> wrote:
> >
> > Hello
> >
> > I am looking for some guidance on how to properly do sudo with Freeipa.
> I have read up on what i need to do but i cant seem to get to work
> correctly. Now with sudoers.d i can accomplish this fairly quickly.
> >
> > Example:
> >
> > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client
> >
> > What i have configured in Freeipa Sudo Rules:
> >
> > Sudo Option: !authenticate
> > Who: dev (group)
> > Access this host: testing (group)
> > Run Commands: set of commands that are defined.
> >
> > Now when i apply this, it still does not work as it asks for a password
> for the user and then fails. I am hoping to allow a group to only run
> certain commands without requiring password.
> >
> You should first find out why sudo fails completely. We have this guide
> that should help you:
> About asking for passwords -- defining a special sudo rule called
> 'defaults' and then adding '!authenticate' should help:
>  Add a special Sudo rule for default Sudo server configuration:
>    ipa sudorule-add defaults
>  Set a default Sudo option:
>    ipa sudorule-add-option defaults --sudooption '!authenticate'
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to