Ash Alam wrote:
Based on (How to troubleshoot Sudo)

- Maybe i miss spoke when i said it fails completely. Rather it keeps
asking for the users password which it does not accept.
- I do not have sudo in sssd.conf
- I do not have sudoers: sss defined in nsswitch.conf
- Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if
these needs to be defined
- If this is the case then adding them might resolve my issues.
- for the special sudo rule(s). is there any way to track it via the
gui? I am trying to keep track of all the configs so its not a blackhole
for the next person.

It would help to know the release of Fedora you're using, the rpm version of ipa-client and sssd.

If you are using Fedora freeipa docs they are extremely old, at best F-18. Use the RHEL docs.


- This is what it looks like on the web gui
Inline image 1

- This is what a clients sssd.conf looks like

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = pp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = xxxxxx
chpass_provider = ipa
ipa_server = _srv_, xxxxx
ldap_tls_cacert = /etc/ipa/ca.crt
services = nss, pam, ssh
config_file_version = 2

domains = XXXXX
homedir_substring = /home


On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek <
<>> wrote:

    > On 24 Mar 2016, at 17:21, Ash Alam < 
<>> wrote:
    > Hello
    > I am looking for some guidance on how to properly do sudo with Freeipa. I 
have read up on what i need to do but i cant seem to get to work correctly. Now 
with sudoers.d i can accomplish this fairly quickly.
    > Example:
    > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client
    > What i have configured in Freeipa Sudo Rules:
    > Sudo Option: !authenticate
    > Who: dev (group)
    > Access this host: testing (group)
    > Run Commands: set of commands that are defined.
    > Now when i apply this, it still does not work as it asks for a password 
for the user and then fails. I am hoping to allow a group to only run certain 
commands without requiring password.

    You should first find out why sudo fails completely. We have this
    guide that should help you:

    About asking for passwords -- defining a special sudo rule called
    'defaults' and then adding '!authenticate' should help:
      Add a special Sudo rule for default Sudo server configuration:
        ipa sudorule-add defaults

      Set a default Sudo option:
        ipa sudorule-add-option defaults --sudooption '!authenticate'

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to