Update to at least 1.12 sssd and libsss_sudo. As I recall sudo ipa provider did not work under 1.11
Sent from my iPhone > On Jul 13, 2016, at 9:02 AM, Tomas Simecek <simecek.to...@gmail.com> wrote: > > Hi, > versions are: > sssd-client-1.11.6-30.el6.x86_64 > sssd-ipa-1.11.6-30.el6.x86_64 > ipa-client-3.0.0-50.el6.centos.1.x86_64 > as part of: > CentOS release 6.6 (Final) > > T. > > 2016-07-13 14:52 GMT+02:00 <ladner.dan...@gmail.com>: >> Again what is client version on 6.5? >> >> >> Sent from my iPhone >> >>> On Jul 13, 2016, at 8:25 AM, Tomas Simecek <simecek.to...@gmail.com> wrote: >>> >>> Thanks for your information Lukas, >>> I have changed sudo_provider to ipa, restarted sssd and no difference. >>> Logfile still says "Access granted by HBAC rule..." and sudo says >>> simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test. >>> >>> Btw. man sssd-sudo says: >>> The following example shows how to configure SSSD to download >>> sudo rules from an LDAP server. >>> >>> [sssd] >>> config_file_version = 2 >>> services = nss, pam, sudo >>> domains = EXAMPLE >>> >>> [domain/EXAMPLE] >>> id_provider = ldap >>> >>> so I am not that sure what should be set on my version of sssd. >>> >>> Any idea? >>> >>> Thanks >>> >>> T. >>> >>> 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>: >>>> On (13/07/16 13:36), Tomas Simecek wrote: >>>> >Lukas, >>>> >yes, I went through that guide and I configured sssd.conf as per the doc >>>> >(you can see it in the beginning of the thread). >>>> > >>>> >Actually the installation is: >>>> >[root@zp-cml-test sssd]# cat /etc/redhat-release >>>> >CentOS release 6.6 (Final) >>>> > >>>> >and versions are: >>>> >[root@zp-cml-test sssd]# rpm -qa |grep sssd >>>> >sssd-proxy-1.11.6-30.el6.x86_64 >>>> >sssd-common-pac-1.11.6-30.el6.x86_64 >>>> >sssd-ipa-1.11.6-30.el6.x86_64 >>>> >sssd-1.11.6-30.el6.x86_64 >>>> >sssd-common-1.11.6-30.el6.x86_64 >>>> >sssd-ad-1.11.6-30.el6.x86_64 >>>> >sssd-ldap-1.11.6-30.el6.x86_64 >>>> >python-sssdconfig-1.11.6-30.el6.noarch >>>> >sssd-krb5-common-1.11.6-30.el6.x86_64 >>>> >sssd-krb5-1.11.6-30.el6.x86_64 >>>> >sssd-client-1.11.6-30.el6.x86_64 >>>> > >>>> 1.11 has sudo_provider=ipa >>>> >>>> @see instructions in man sssd-sudo how to configure it. >>>> It should avoid issues with two different providers (ipa and ldap) >>>> >>>> > >>>> >There are some reasons why not to upgrade to later versions, believe me, I >>>> >would do it if I could :-) >>>> > >>>> You can at least try to upgrade sssd from 6.8 if you do not want >>>> to upgrade whole OS. >>>> >>>> LS >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project