Ash Alam wrote:
Based on (How to troubleshoot Sudo)
- Maybe i miss spoke when i said it fails completely. Rather it keeps
asking for the users password which it does not accept.
- I do not have sudo in sssd.conf
- I do not have sudoers: sss defined in nsswitch.conf
- Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if
these needs to be defined
- If this is the case then adding them might resolve my issues.
- for the special sudo rule(s). is there any way to track it via the
gui? I am trying to keep track of all the configs so its not a blackhole
for the next person.
It would help to know the release of Fedora you're using, the rpm
version of ipa-client and sssd.
If you are using Fedora freeipa docs they are extremely old, at best
F-18. Use the RHEL docs.
- This is what it looks like on the web gui
Inline image 1
- This is what a clients sssd.conf looks like
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = pp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = xxxxxx
chpass_provider = ipa
ipa_server = _srv_, xxxxx
ldap_tls_cacert = /etc/ipa/ca.crt
services = nss, pam, ssh
config_file_version = 2
domains = XXXXX
homedir_substring = /home
On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek <jhro...@redhat.com
> On 24 Mar 2016, at 17:21, Ash Alam <aa...@paperlesspost.com
> I am looking for some guidance on how to properly do sudo with Freeipa. I
have read up on what i need to do but i cant seem to get to work correctly. Now
with sudoers.d i can accomplish this fairly quickly.
> %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client
> What i have configured in Freeipa Sudo Rules:
> Sudo Option: !authenticate
> Who: dev (group)
> Access this host: testing (group)
> Run Commands: set of commands that are defined.
> Now when i apply this, it still does not work as it asks for a password
for the user and then fails. I am hoping to allow a group to only run certain
commands without requiring password.
You should first find out why sudo fails completely. We have this
guide that should help you:
About asking for passwords -- defining a special sudo rule called
'defaults' and then adding '!authenticate' should help:
Add a special Sudo rule for default Sudo server configuration:
ipa sudorule-add defaults
Set a default Sudo option:
ipa sudorule-add-option defaults --sudooption '!authenticate'
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project