Good morning, I have a fairly new ipa domain (server version 3.0.0-42 and clients mixed 3.0.0-37 and 3.0.0-42) set up with a mix of rhel6, rhel5 and solaris. It seemed like my sudo config using sssd in rhel6.5 was working and then we patched to 6.6 and it is broken. I had followed these setup instructions previously:
yum install -y libsss_sudo Added to /etc/nsswitch.conf sudoers: sss files Add nisdomainname: nisdomainname ipadomain.com echo "NISDOMAIN=ipadomain.com" >> /etc/sysconfig/network Added the following to /etc/sssd/sssd.conf (is all this really necessary?) [domain/ipadomain.com] ………. sudo_provider = ldap ldap_uri = ldaps://ipasrv2-corp.ipadomain.com, ldaps://ipasrv1-xo.ipadomain.com, ldaps://ipasrv1-io.ipadomain.com, ldaps://ipasrv1-corp.ipadomain.com, ldaps://ipasrv2-xo.ipadomain.com, ldaps://ipasrv2-io.ipadomain.com ldap_sudo_search_base = ou=sudoers,dc=ipadomain,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ipaclient1.ipadomain.com ldap_sasl_realm = ipadomain.COM krb5_server =ipasrv2-corp.ipadomain.com, ipasrv1-xo.ipadomain.com, ipasrv1-io.ipadomain.com, ipasrv1-corp.ipadomain.com, ipasrv2-xo.ipadomain.com, ipasrv2-io.ipadomain.com [sssd] services = nss, pam, sudo, ssh [sudo] Restart sssd service I know that libsss_sudo is now included as part of another package and read that you need sssd-common which I tried installing to no avail as well. I had been told that despite the man pages on sssd I needed to specify the servers in ldap_uri (and I assume krb5_server) as it would not use SRV records but am not sure that is correct. Questions: 1) What are the steps to get sudo working with sssd on an existing, newly patched (to rhel6.6) system 2) Are the steps any different for a new system (i.e. I read it is "seamless" but I guess we still have to manually edit files?) 3) Does sssd in Rhel6.6 support SRV lookup for the ldap_uri and krb5_server and do we have to specify the ldap_sasl_authid with the client hostname Thank you for any assistance. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
