Update to at least 1.12 sssd and libsss_sudo. As I recall sudo ipa provider did
not work under 1.11
Sent from my iPhone
> On Jul 13, 2016, at 9:02 AM, Tomas Simecek wrote:
>
> Hi,
> versions are:
> sssd-client-1.11.6-30.el6.x86_64
> sssd-ipa-1.11.6-30.el6.x86_64
> ipa-client-3.0.0-50.el6.centos.1.x86_64
> as part of:
> CentOS release 6.6 (Final)
>
> T.
>
> 2016-07-13 14:52 GMT+02:00 :
>> Again what is client version on 6.5?
>>
>>
>> Sent from my iPhone
>>
>>> On Jul 13, 2016, at 8:25 AM, Tomas Simecek wrote:
>>>
>>> Thanks for your information Lukas,
>>> I have changed sudo_provider to ipa, restarted sssd and no difference.
>>> Logfile still says "Access granted by HBAC rule..." and sudo says
>>> simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test.
>>>
>>> Btw. man sssd-sudo says:
>>> The following example shows how to configure SSSD to download
>>> sudo rules from an LDAP server.
>>>
>>>[sssd]
>>>config_file_version = 2
>>>services = nss, pam, sudo
>>>domains = EXAMPLE
>>>
>>>[domain/EXAMPLE]
>>>id_provider = ldap
>>>
>>> so I am not that sure what should be set on my version of sssd.
>>>
>>> Any idea?
>>>
>>> Thanks
>>>
>>> T.
>>>
>>> 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik :
On (13/07/16 13:36), Tomas Simecek wrote:
>Lukas,
>yes, I went through that guide and I configured sssd.conf as per the doc
>(you can see it in the beginning of the thread).
>
>Actually the installation is:
>[root@zp-cml-test sssd]# cat /etc/redhat-release
>CentOS release 6.6 (Final)
>
>and versions are:
>[root@zp-cml-test sssd]# rpm -qa |grep sssd
>sssd-proxy-1.11.6-30.el6.x86_64
>sssd-common-pac-1.11.6-30.el6.x86_64
>sssd-ipa-1.11.6-30.el6.x86_64
>sssd-1.11.6-30.el6.x86_64
>sssd-common-1.11.6-30.el6.x86_64
>sssd-ad-1.11.6-30.el6.x86_64
>sssd-ldap-1.11.6-30.el6.x86_64
>python-sssdconfig-1.11.6-30.el6.noarch
>sssd-krb5-common-1.11.6-30.el6.x86_64
>sssd-krb5-1.11.6-30.el6.x86_64
>sssd-client-1.11.6-30.el6.x86_64
>
1.11 has sudo_provider=ipa
@see instructions in man sssd-sudo how to configure it.
It should avoid issues with two different providers (ipa and ldap)
>
>There are some reasons why not to upgrade to later versions, believe me, I
>would do it if I could :-)
>
You can at least try to upgrade sssd from 6.8 if you do not want
to upgrade whole OS.
LS
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project