One of my biggest projects is to use ansible to kill OpenLDAP clients on
our production servers and install ipa-client and configured. I'm
probably 95% there with automating the process (still trying to figure
out what pam_ldap crap is floating around after uninstalling those
packages and such) but I've got a weird issue that appears to be related
to the C6 ipa-client setup.
After installing the ipa-client and configuring, I can login as my ipa
user account, but, even though I have SUDO rules in place, I'm getting a
'user is not in sudoers file...etc, etc' on CentOS 6, but /not/ on a
CentOS 7 client I have tested on. I've tried two different C6 boxes
with the same result. The SSSD/nsswitch/pam.d config files are all
identical between the C6 and C7 servers.
The C7 box did not have a previous OpenLDAP client on it, and neither
did one of the C6 boxes, so it doesn't appear to be a problem/conflict
with remnants of OpenLDAP/PAM causing the problem. Sudoers on all the
boxes I'm testing is out-of-the-box vanilla and there are no sudoers.d/
files either.
I'm an IPA newbie, and I gave up on OpenLDAP and PAM (god, what a cockup
that is) almost two decades ago, so I'm not as familiar with it as some
people might be. Here are the package versions for the IPA clients:
C7: ipa-client-4.5.0-21.el7.centos.1.2.x86_64
C6: ipa-client-3.0.0-51.el6.centos.x86_64
The only other thing I can think of to mention is that in
/var/log/secure on the C6 boxes I'm getting a pam_unix.so authentication
failure (obviously since my user isn't on that box) prior to sssd
authenticating me successfully when trying to sudo su. I do not see
that problem on the C7 box.
Any ideas?
--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.ha...@neonova.net
www.neonova.net
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org