Unfortunately sudo package included in amzn linux does not work with sudo rules
provided via SSS however it is in the feature requests list.
To workaround this you can replace it with the CentOS one:
http://mirror.centos.org/centos/6.7/os/x86_64/Packages/sudo-1.8.6p3-19.el6.x86_64.rpm
From: freeipa-users-boun...@redhat.com on
behalf of Alexander Bokovoy
Sent: 21 September 2015 20:40
To: Gustavo Mateus
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
On Mon, 21 Sep 2015, Gustavo Mateus wrote:
>Hi Alexander,
>
>Thank you very much for your help.
>Would it be possible for you to point me in the right direction on how to
>integrate this with sudo rules?
Please don't send emails personally unless asked to do that.
Your problem can be tracked with public mailing list.
>my sssd.conf looks like this:
>
>[sssd]
>services = nss, pam, ssh, sudo
>config_file_version = 2
>domains = default
>re_expression = (?P.+)
>
>[domain/default]
>cache_credentials = True
>id_provider = ldap
>auth_provider = ldap
>ldap_uri = ldap://ipaserver.my.domain.com
>ldap_search_base = cn=accounts,dc=my,dc=domain,dc=com
>ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt
>ldap_user_ssh_public_key = ipaSshPubKey
>sudo_provider = ldap
>ldap_sudo_search_base = ou=sudoers,dc=my,dc=domain,dc=com
>ldap_sudo_full_refresh_interval=86400
>ldap_sudo_smart_refresh_interval=3600
>debug_level=8
>
>[ssh]
>
>[sudo]
>debug_level=8
>
>
>and nsswitch.conf has this:
>
>sudoers:files sss
>
>
>
>My goal is to have freeipa as a replacement for the current openldap and
>hope that amazon linux supports it fully in the future. While they don't
>support it, I want to use as much as I can of centralized management that
>freeipa+sssd provides.
SSSD has own plugin for sudo integration that makes possible to cache
sudo rules via SSSD itself as opposed to use of sudo's LDAP plugin which
tries to talk to LDAP server directly.
You need to understand what features are provided by Amazon Linux's sudo
package. It may well be missing support for sudo plugins. I don't have
access to Amazon Linux source code, thus I cannot check whether their
sudo package supports external plugins.
So even if your sssd version includes sudo plugin, it may probably be
simply unused by your sssd version. Again, I have no idea how Amazon's
Linux AMI is built, thus it may miss this capability.
At this point I'd suggest you to investigate yourself and contact Amazon
support for finding out exactly what is happening there.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project