subject:"\[Freeipa\-users\] Fwd\: problem users AD can not sudo in centos 6.6"

Re: [Freeipa-users] Fwd: problem users AD can not sudo in centos 6.6

2015-01-04 Thread Vaclav Adamec

Hi,
 I had same issue after upgrading registered Centos 6.5 to 6.6 (and with
new IPA client). New version already contain sudo support, so sssd.conf
doesn't contain it. You can uninstall ipa client and register server again
- keep configuration file generated by IPA client itself (I used puppet for
maintain this file and end up with multiple version chaos because of centos
and IPA versions)


Vasek

example of clean config file (you don't need to setup anything manually):

[domain/xxx.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = xxx.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = server.xxx.com
chpass_provider = ipa
ipa_server = _srv_, ipa.xxx.com
dns_discovery_domain = xxx.com

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2

domains = xxx.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]





On Sat, Jan 3, 2015 at 8:10 PM, Dmitri Pal  wrote:

>  On 01/03/2015 05:14 AM, alireza baghery wrote:
>
>
>
>   hi
> i integrated AD windows 208 R2 with IPA server (centos 6.5)
>  i write policy for user test execute any command on any host
>  user test can execute sudo on cetnos 6.5 but on centos 6.6 can not (sudo
> get error)
>  confige sssd.conf
> =
>
> [domain/l.example.com]
> debug_level = 6
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = l.example.com
> id_provider = ipa
> ipa_server = _srv_,ipaserver.l.example.com
> dap_tls_cacert = /etc/ipa/ca.crt
> sudo_provider = ldap
> ldap_uri = ldap://ipasrv.l.example.com
> ldap_sudo_search_base = ou=sudoers,dc=l, dc=example,dc=com
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/ipadevel.l.example.com
> ldap_sasl_realm = L.EXAMPLE.COM
> krb5_server = ipadevel.l.example.com
>
>
>  [sssd]
> config_file_version = 2
> services = nss, pam,ssh,sudo
>
> 
>  how to solve this problem
>
>
>
>  Enable sudo debugging and see what happens. Is the command denied or
> there is some other error?
> Generally there are two flavors of errors: something is wrong with a
> connection and no policy gets through or the policies get though but
> something is wrong with this specific policy or configuration.
> To start debugging first rule out connectivity issues.
>
> SUDO and sssd debug logs are your friends.
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>



-- 
-- May the fox be with you ...
   /\
  (~(
   ) ) /\_/\
  (_=---_(@ @)
(  \   /
/|/\|\  V
" " " "
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Fwd: problem users AD can not sudo in centos 6.6

2015-01-03 Thread Dmitri Pal


On 01/03/2015 05:14 AM, alireza baghery wrote:



hi
i integrated AD windows 208 R2 with IPA server (centos 6.5)
i write policy for user test execute any command on any host
user test can execute sudo on cetnos 6.5 but on centos 6.6 can not 
(sudo get error)

confige sssd.conf
=
[domain/l.example.com  ]
debug_level = 6
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain =l.example.com  
id_provider = ipa
ipa_server = _srv_,ipaserver.l.example.com  
dap_tls_cacert = /etc/ipa/ca.crt
sudo_provider = ldap
ldap_uri =ldap://ipasrv.l.example.com
ldap_sudo_search_base = ou=sudoers,dc=l, dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/ipadevel.l.example.com    
ldap_sasl_realm =L.EXAMPLE.COM    
krb5_server =ipadevel.l.example.com    



  [sssd]
config_file_version = 2
services = nss, pam,ssh,sudo

how to solve this problem



Enable sudo debugging and see what happens. Is the command denied or 
there is some other error?
Generally there are two flavors of errors: something is wrong with a 
connection and no policy gets through or the policies get though but 
something is wrong with this specific policy or configuration.

To start debugging first rule out connectivity issues.

SUDO and sssd debug logs are your friends.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Fwd: problem users AD can not sudo in centos 6.6

2015-01-03 Thread alireza baghery

hi
i integrated AD windows 208 R2 with IPA server (centos 6.5)
i write policy for user test execute any command on any host
user test can execute sudo on cetnos 6.5 but on centos 6.6 can not (sudo
get error)
confige sssd.conf
=

[domain/l.example.com]
debug_level = 6
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = l.example.com
id_provider = ipa
ipa_server = _srv_,ipaserver.l.example.com
dap_tls_cacert = /etc/ipa/ca.crt
sudo_provider = ldap
ldap_uri = ldap://ipasrv.l.example.com
ldap_sudo_search_base = ou=sudoers,dc=l, dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/ipadevel.l.example.com
ldap_sasl_realm = L.EXAMPLE.COM
krb5_server = ipadevel.l.example.com

 [sssd]
config_file_version = 2
services = nss, pam,ssh,sudo


how to solve this problem
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Fwd: problem users AD can not sudo in centos 6.6

Re: [Freeipa-users] Fwd: problem users AD can not sudo in centos 6.6

[Freeipa-users] Fwd: problem users AD can not sudo in centos 6.6

3 matches

Site Navigation

Mail list logo

Footer information