Hi, Are you not missing “sudo” in [sssd] and did you restard the services on the machine? We found quite a significant cache, which sometimes lead to asking passwords.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html You might even have to delete /var/lib/sss/db/ contents and restart sssd. Best, From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ash Alam Sent: jeudi 24 mars 2016 19:50 To: Jakub Hrozek <jhro...@redhat.com> Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd Based on (How to troubleshoot Sudo) - Maybe i miss spoke when i said it fails completely. Rather it keeps asking for the users password which it does not accept. - I do not have sudo in sssd.conf - I do not have sudoers: sss defined in nsswitch.conf - Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if these needs to be defined - If this is the case then adding them might resolve my issues. - for the special sudo rule(s). is there any way to track it via the gui? I am trying to keep track of all the configs so its not a blackhole for the next person. - This is what it looks like on the web gui [Inline image 1] - This is what a clients sssd.conf looks like [domain/xxxxx] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = pp id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = xxxxxx chpass_provider = ipa ipa_server = _srv_, xxxxx ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = XXXXX [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek <jhro...@redhat.com<mailto:jhro...@redhat.com>> wrote: > On 24 Mar 2016, at 17:21, Ash Alam > <aa...@paperlesspost.com<mailto:aa...@paperlesspost.com>> wrote: > > Hello > > I am looking for some guidance on how to properly do sudo with Freeipa. I > have read up on what i need to do but i cant seem to get to work correctly. > Now with sudoers.d i can accomplish this fairly quickly. > > Example: > > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client > > What i have configured in Freeipa Sudo Rules: > > Sudo Option: !authenticate > Who: dev (group) > Access this host: testing (group) > Run Commands: set of commands that are defined. > > Now when i apply this, it still does not work as it asks for a password for > the user and then fails. I am hoping to allow a group to only run certain > commands without requiring password. > You should first find out why sudo fails completely. We have this guide that should help you: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO About asking for passwords -- defining a special sudo rule called 'defaults' and then adding '!authenticate' should help: Add a special Sudo rule for default Sudo server configuration: ipa sudorule-add defaults Set a default Sudo option: ipa sudorule-add-option defaults --sudooption '!authenticate'
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project