Ash Alam wrote:
Based on (How to troubleshoot Sudo)

- Maybe i miss spoke when i said it fails completely. Rather it keeps
asking for the users password which it does not accept.
- I do not have sudo in sssd.conf
- I do not have sudoers: sss defined in nsswitch.conf
- Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if
these needs to be defined
- If this is the case then adding them might resolve my issues.
- for the special sudo rule(s). is there any way to track it via the
gui? I am trying to keep track of all the configs so its not a blackhole
for the next person.

It would help to know the release of Fedora you're using, the rpm version of ipa-client and sssd.

If you are using Fedora freeipa docs they are extremely old, at best F-18. Use the RHEL docs.

rob


- This is what it looks like on the web gui
Inline image 1


- This is what a clients sssd.conf looks like
[domain/xxxxx]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = pp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = xxxxxx
chpass_provider = ipa
ipa_server = _srv_, xxxxx
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = XXXXX
[nss]
homedir_substring = /home

[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]

On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek <jhro...@redhat.com
<mailto:jhro...@redhat.com>> wrote:


    > On 24 Mar 2016, at 17:21, Ash Alam <aa...@paperlesspost.com 
<mailto:aa...@paperlesspost.com>> wrote:
    >
    > Hello
    >
    > I am looking for some guidance on how to properly do sudo with Freeipa. I 
have read up on what i need to do but i cant seem to get to work correctly. Now 
with sudoers.d i can accomplish this fairly quickly.
    >
    > Example:
    >
    > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client
    >
    > What i have configured in Freeipa Sudo Rules:
    >
    > Sudo Option: !authenticate
    > Who: dev (group)
    > Access this host: testing (group)
    > Run Commands: set of commands that are defined.
    >
    > Now when i apply this, it still does not work as it asks for a password 
for the user and then fails. I am hoping to allow a group to only run certain 
commands without requiring password.
    >

    You should first find out why sudo fails completely. We have this
    guide that should help you:
    https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

    About asking for passwords -- defining a special sudo rule called
    'defaults' and then adding '!authenticate' should help:
      Add a special Sudo rule for default Sudo server configuration:
        ipa sudorule-add defaults

      Set a default Sudo option:
        ipa sudorule-add-option defaults --sudooption '!authenticate'





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to