Are you not missing “sudo” in [sssd] and did you restard the services on the 
machine? We found quite a significant cache, which sometimes lead to asking 


You might even have to delete /var/lib/sss/db/ contents and restart sssd.


From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ash Alam
Sent: jeudi 24 mars 2016 19:50
To: Jakub Hrozek <jhro...@redhat.com>
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd

Based on (How to troubleshoot Sudo)

- Maybe i miss spoke when i said it fails completely. Rather it keeps asking 
for the users password which it does not accept.
- I do not have sudo in sssd.conf
- I do not have sudoers: sss defined in nsswitch.conf
- Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if these 
needs to be defined
- If this is the case then adding them might resolve my issues.
- for the special sudo rule(s). is there any way to track it via the gui? I am 
trying to keep track of all the configs so its not a blackhole for the next 

- This is what it looks like on the web gui
[Inline image 1]

- This is what a clients sssd.conf looks like

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = pp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = xxxxxx
chpass_provider = ipa
ipa_server = _srv_, xxxxx
ldap_tls_cacert = /etc/ipa/ca.crt
services = nss, pam, ssh
config_file_version = 2

domains = XXXXX
homedir_substring = /home


On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek 
<jhro...@redhat.com<mailto:jhro...@redhat.com>> wrote:

> On 24 Mar 2016, at 17:21, Ash Alam 
> <aa...@paperlesspost.com<mailto:aa...@paperlesspost.com>> wrote:
> Hello
> I am looking for some guidance on how to properly do sudo with Freeipa. I 
> have read up on what i need to do but i cant seem to get to work correctly. 
> Now with sudoers.d i can accomplish this fairly quickly.
> Example:
> %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client
> What i have configured in Freeipa Sudo Rules:
> Sudo Option: !authenticate
> Who: dev (group)
> Access this host: testing (group)
> Run Commands: set of commands that are defined.
> Now when i apply this, it still does not work as it asks for a password for 
> the user and then fails. I am hoping to allow a group to only run certain 
> commands without requiring password.

You should first find out why sudo fails completely. We have this guide that 
should help you:

About asking for passwords -- defining a special sudo rule called 'defaults' 
and then adding '!authenticate' should help:
 Add a special Sudo rule for default Sudo server configuration:
   ipa sudorule-add defaults

 Set a default Sudo option:
   ipa sudorule-add-option defaults --sudooption '!authenticate'

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to