I rebooted one of the servers and it worked! Thanks a lot
On Wed, Jun 12, 2013 at 6:29 PM, Sina Owolabi <[email protected]>wrote: > Thank you for the reply Alex, though I'm a little confused that I am > answering the correct email. > I have taken a look at the example sssd.conf you advised, and I'm a little > curious if the configuration supports having multiple IPA servers? I have a > multi-master setup with two servers. I tried to add both servers to the > ldap uri and to the krb5 section byt the service refused to start. > Also I have to note that this not being able to sudo only seems to affect > physical servers, and not the virtual machines I have applied it against. > Also unfortunately, this didnt work either.. I guess I will try a reboot > first if I can. > > sudo debug: > > [root@waphost IPA-configs]# su - oowolabi > > [oowolabi@waphost ~]$ sudo service httpd status > sudo: ldap_set_option: debug -> 0 > sudo: ldap_set_option: tls_checkpeer -> 1 > sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt > sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt > sudo: ldap_set_option: ldap_version -> 3 > sudo: ldap_set_option: timelimit -> 15 > sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) > sudo: ldap_start_tls_s() ok > sudo: ldap_sasl_bind_s() ok > sudo: Looking for cn=defaults: cn=defaults > sudo: no default options found in ou=SUDOers,dc=qrios,dc=com > sudo: ldap search > '(|(sudoUser=oowolabi)(sudoUser=%oowolabi)(sudoUser=%#721800009)(sudoUser=%admins)(sudoUser=%employees)(sudoUser=%qrios)(sudoUser=%#721800000)(sudoUser=%#721800006)(sudoUser=%#721800008)(sudoUser=ALL))' > sudo: searching from base 'ou=SUDOers,dc=qrios,dc=com' > sudo: adding search result > sudo: result now has 0 entries > sudo: ldap search '(sudoUser=+*)' > sudo: searching from base 'ou=SUDOers,dc=qrios,dc=com' > sudo: adding search result > sudo: result now has 0 entries > sudo: sorting remaining 0 entries > sudo: searching LDAP for sudoers entries > sudo: done with LDAP searches > sudo: user_matches=1 > sudo: host_matches=0 > sudo: sudo_ldap_lookup(0)=0x40 > [sudo] password for oowolabi: > oowolabi is not allowed to run sudo on waphost. This incident will be > reported. > [oowolabi@waphost ~]$ exit > > > > On Wed, Jun 12, 2013 at 10:10 AM, Alexander Bokovoy > <[email protected]>wrote: > >> On Wed, 12 Jun 2013, Matt . wrote: >> >>> Hi, >>> >>> A lot of people seem to have problem with Sudo and FreeIPA. >>> >>> How to enable sudo is described here: >>> >>> http://www.freeipa.org/images/**7/77/Freeipa30_SSSD_SUDO_** >>> Integration.pdf<http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf> >>> >>> The problem we are facing, also discussed on IRC is that there is looked >>> in >>> the local sudoers file of the client if the loggedin user may sudo. Of >>> course the username is not known there. >>> >> Not sure what exactly is your problem? Could you please rephrase and >> show it with logs again? >> >> If you are using SSSD's sudo integration against IPA server, then here >> is what you need to get it working on Fedora 18/19 and RHEL 6.4: >> >> 1. install libsss_sudo package >> >> 2. Add/change following line to /etc/nsswitch.conf >> >> sudoers: files sss >> >> 3. Make sure your /etc/sssd/sssd.conf looks like this example: >> http://abbra.fedorapeople.org/**.paste/sssd.conf.example<http://abbra.fedorapeople.org/.paste/sssd.conf.example> >> 4. Restart sssd >> >> These are the only actions I needed to get sudo working for IPA users on >> Fedora 19 and RHEL 6.4. >> >> Please note that sudoers: files sss >> gives you chance to have local users configured in local sudoers. If you >> don't want them to be able to use sudo, just change the line in >> /etc/nsswitch.conf to >> sudoers: sss >> >> >> -- >> / Alexander Bokovoy >> >> >> ______________________________**_________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >> > > > > -- > best regards, > > Sina Owolabi > +2348034022578 > +2348176469061 > -- best regards, Sina Owolabi +2348034022578 +2348176469061
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
