Re: [Freeipa-users] sudo utilizing sssd rhel6.6
Thank you both. I was able to get this working by just adding the sudo_provider = ipa to sssd.conf. I removed all the ldap_uri and krb5_server lines to keep the file tidier. I had read service discovery works with sssd but was told by Redhat support it does not. I am happy to hear it does as it is much easier to maintain. Thanks again. _ On Wed, 12/3/14, Lukas Slebodnik lsleb...@redhat.com wrote: Subject: Re: [Freeipa-users] sudo utilizing sssd rhel6.6 To: sipazzo sipa...@yahoo.com Cc: freeipa-users@redhat.com Date: Wednesday, December 3, 2014, 7:38 AM On (03/12/14 06:05), sipazzo wrote: Good morning, I have a fairly new ipa domain (server version 3.0.0-42 and clients mixed 3.0.0-37 and 3.0.0-42) set up with a mix of rhel6, rhel5 and solaris. It seemed like my sudo config using sssd in rhel6.5 was working and then we patched to 6.6 and it is broken. I had followed these setup instructions previously: yum install -y libsss_sudo Added to /etc/nsswitch.conf sudoers: sss files Add nisdomainname: nisdomainname ipadomain.com echo NISDOMAIN=ipadomain.com /etc/sysconfig/network Added the following to /etc/sssd/sssd.conf (is all this really necessary?) [domain/ipadomain.com] ………. sudo_provider = ldap ldap_uri = ldaps://ipasrv2-corp.ipadomain.com, ldaps://ipasrv1-xo.ipadomain.com, ldaps://ipasrv1-io.ipadomain.com, ldaps://ipasrv1-corp.ipadomain.com, ldaps://ipasrv2-xo.ipadomain.com, ldaps://ipasrv2-io.ipadomain.com ldap_sudo_search_base = ou=sudoers,dc=ipadomain,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ipaclient1.ipadomain.com ldap_sasl_realm = ipadomain.COM krb5_server =ipasrv2-corp.ipadomain.com, ipasrv1-xo.ipadomain.com, ipasrv1-io.ipadomain.com, ipasrv1-corp.ipadomain.com, ipasrv2-xo.ipadomain.com, ipasrv2-io.ipadomain.com [sssd] services = nss, pam, sudo, ssh [sudo] Restart sssd service I know that libsss_sudo is now included as part of another package and read that you need sssd-common which I tried installing to no avail as well. I had been told that despite the man pages on sssd I needed to specify the servers in ldap_uri (and I assume krb5_server) as it would not use SRV records but am not sure that is correct. Questions: 1) What are the steps to get sudo working with sssd on an existing, newly patched (to rhel6.6) system Configuration from rhel 6.5 shoudl work also on rhel 6.6 But rhel 6.6 can work also with sudo_provider = ipa In this case sssd configuration is easier. You cna find details in manual page man sssd-sudo. 2) Are the steps any different for a new system (i.e. I read it is seamless but I guess we still have to manually edit files?) On rhel6.6 ipa-client-install should configure sudo unless you executed ipa-client-install with --no-sudo 3) Does sssd in Rhel6.6 support SRV lookup for the ldap_uri and krb5_server and do we have to specify the ldap_sasl_authid with the client hostname Yes, it does. man sssd.ldap - SERVICE DISCOVERY If you use sudo_provider=ipa then you will not need to configure all ldap_* krb5_* options on your own. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] sudo utilizing sssd rhel6.6
Good morning, I have a fairly new ipa domain (server version 3.0.0-42 and clients mixed 3.0.0-37 and 3.0.0-42) set up with a mix of rhel6, rhel5 and solaris. It seemed like my sudo config using sssd in rhel6.5 was working and then we patched to 6.6 and it is broken. I had followed these setup instructions previously: yum install -y libsss_sudo Added to /etc/nsswitch.conf sudoers: sss files Add nisdomainname: nisdomainname ipadomain.com echo NISDOMAIN=ipadomain.com /etc/sysconfig/network Added the following to /etc/sssd/sssd.conf (is all this really necessary?) [domain/ipadomain.com] ………. sudo_provider = ldap ldap_uri = ldaps://ipasrv2-corp.ipadomain.com, ldaps://ipasrv1-xo.ipadomain.com, ldaps://ipasrv1-io.ipadomain.com, ldaps://ipasrv1-corp.ipadomain.com, ldaps://ipasrv2-xo.ipadomain.com, ldaps://ipasrv2-io.ipadomain.com ldap_sudo_search_base = ou=sudoers,dc=ipadomain,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ipaclient1.ipadomain.com ldap_sasl_realm = ipadomain.COM krb5_server =ipasrv2-corp.ipadomain.com, ipasrv1-xo.ipadomain.com, ipasrv1-io.ipadomain.com, ipasrv1-corp.ipadomain.com, ipasrv2-xo.ipadomain.com, ipasrv2-io.ipadomain.com [sssd] services = nss, pam, sudo, ssh [sudo] Restart sssd service I know that libsss_sudo is now included as part of another package and read that you need sssd-common which I tried installing to no avail as well. I had been told that despite the man pages on sssd I needed to specify the servers in ldap_uri (and I assume krb5_server) as it would not use SRV records but am not sure that is correct. Questions: 1) What are the steps to get sudo working with sssd on an existing, newly patched (to rhel6.6) system 2) Are the steps any different for a new system (i.e. I read it is seamless but I guess we still have to manually edit files?) 3) Does sssd in Rhel6.6 support SRV lookup for the ldap_uri and krb5_server and do we have to specify the ldap_sasl_authid with the client hostname Thank you for any assistance. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo utilizing sssd rhel6.6
On Wed, Dec 03, 2014 at 06:05:23AM -0800, sipazzo wrote: Good morning, I have a fairly new ipa domain (server version 3.0.0-42 and clients mixed 3.0.0-37 and 3.0.0-42) set up with a mix of rhel6, rhel5 and solaris. It seemed like my sudo config using sssd in rhel6.5 was working and then we patched to 6.6 and it is broken. I had followed these setup instructions previously: yum install -y libsss_sudo Added to /etc/nsswitch.conf sudoers: sss files Add nisdomainname: nisdomainname ipadomain.com echo NISDOMAIN=ipadomain.com /etc/sysconfig/network Added the following to /etc/sssd/sssd.conf (is all this really necessary?) [domain/ipadomain.com] ………. sudo_provider = ldap ldap_uri = ldaps://ipasrv2-corp.ipadomain.com, ldaps://ipasrv1-xo.ipadomain.com, ldaps://ipasrv1-io.ipadomain.com, ldaps://ipasrv1-corp.ipadomain.com, ldaps://ipasrv2-xo.ipadomain.com, ldaps://ipasrv2-io.ipadomain.com ldap_sudo_search_base = ou=sudoers,dc=ipadomain,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ipaclient1.ipadomain.com ldap_sasl_realm = ipadomain.COM krb5_server =ipasrv2-corp.ipadomain.com, ipasrv1-xo.ipadomain.com, ipasrv1-io.ipadomain.com, ipasrv1-corp.ipadomain.com, ipasrv2-xo.ipadomain.com, ipasrv2-io.ipadomain.com [sssd] services = nss, pam, sudo, ssh [sudo] Restart sssd service I know that libsss_sudo is now included as part of another package and read that you need sssd-common which I tried installing to no avail as well. I had been told that despite the man pages on sssd I needed to specify the servers in ldap_uri (and I assume krb5_server) as it would not use SRV records but am not sure that is correct. Questions: 1) What are the steps to get sudo working with sssd on an existing, newly patched (to rhel6.6) system Starting with 6.6 the procedure was simplified to: * add sudo_provider=ipa to sssd.conf's domain section * add sss to the sudoers line of nsswitch.conf 2) Are the steps any different for a new system (i.e. I read it is seamless but I guess we still have to manually edit files?) I'm not 100% sure if the ipa-client-install patches made it to 6.6 or not, but with very recent (7.1) ipa-client-install, everything should just work and be set up by the installer 3) Does sssd in Rhel6.6 support SRV lookup for the ldap_uri and krb5_server and do we have to specify the ldap_sasl_authid with the client hostname SRV records - yes ldap_sasl_authid - you don't need that starting with 6.6 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo utilizing sssd rhel6.6
On (03/12/14 06:05), sipazzo wrote: Good morning, I have a fairly new ipa domain (server version 3.0.0-42 and clients mixed 3.0.0-37 and 3.0.0-42) set up with a mix of rhel6, rhel5 and solaris. It seemed like my sudo config using sssd in rhel6.5 was working and then we patched to 6.6 and it is broken. I had followed these setup instructions previously: yum install -y libsss_sudo Added to /etc/nsswitch.conf sudoers: sss files Add nisdomainname: nisdomainname ipadomain.com echo NISDOMAIN=ipadomain.com /etc/sysconfig/network Added the following to /etc/sssd/sssd.conf (is all this really necessary?) [domain/ipadomain.com] ………. sudo_provider = ldap ldap_uri = ldaps://ipasrv2-corp.ipadomain.com, ldaps://ipasrv1-xo.ipadomain.com, ldaps://ipasrv1-io.ipadomain.com, ldaps://ipasrv1-corp.ipadomain.com, ldaps://ipasrv2-xo.ipadomain.com, ldaps://ipasrv2-io.ipadomain.com ldap_sudo_search_base = ou=sudoers,dc=ipadomain,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ipaclient1.ipadomain.com ldap_sasl_realm = ipadomain.COM krb5_server =ipasrv2-corp.ipadomain.com, ipasrv1-xo.ipadomain.com, ipasrv1-io.ipadomain.com, ipasrv1-corp.ipadomain.com, ipasrv2-xo.ipadomain.com, ipasrv2-io.ipadomain.com [sssd] services = nss, pam, sudo, ssh [sudo] Restart sssd service I know that libsss_sudo is now included as part of another package and read that you need sssd-common which I tried installing to no avail as well. I had been told that despite the man pages on sssd I needed to specify the servers in ldap_uri (and I assume krb5_server) as it would not use SRV records but am not sure that is correct. Questions: 1) What are the steps to get sudo working with sssd on an existing, newly patched (to rhel6.6) system Configuration from rhel 6.5 shoudl work also on rhel 6.6 But rhel 6.6 can work also with sudo_provider = ipa In this case sssd configuration is easier. You cna find details in manual page man sssd-sudo. 2) Are the steps any different for a new system (i.e. I read it is seamless but I guess we still have to manually edit files?) On rhel6.6 ipa-client-install should configure sudo unless you executed ipa-client-install with --no-sudo 3) Does sssd in Rhel6.6 support SRV lookup for the ldap_uri and krb5_server and do we have to specify the ldap_sasl_authid with the client hostname Yes, it does. man sssd.ldap - SERVICE DISCOVERY If you use sudo_provider=ipa then you will not need to configure all ldap_* krb5_* options on your own. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project