On (03/12/14 06:05), sipazzo wrote: >Good morning, I have a fairly new ipa domain (server version 3.0.0-42 and >clients mixed 3.0.0-37 and 3.0.0-42) set up with a mix of rhel6, rhel5 and >solaris. It seemed like my sudo config using sssd in rhel6.5 was working and >then we patched to 6.6 and it is broken. I had followed these setup >instructions previously: > >yum install -y libsss_sudo > >Added to /etc/nsswitch.conf > >sudoers: sss files > >Add nisdomainname: > >nisdomainname ipadomain.com >echo "NISDOMAIN=ipadomain.com" >> /etc/sysconfig/network > >Added the following to /etc/sssd/sssd.conf (is all this really necessary?) > >[domain/ipadomain.com] >………. > >sudo_provider = ldap >ldap_uri = ldaps://ipasrv2-corp.ipadomain.com, >ldaps://ipasrv1-xo.ipadomain.com, ldaps://ipasrv1-io.ipadomain.com, >ldaps://ipasrv1-corp.ipadomain.com, ldaps://ipasrv2-xo.ipadomain.com, >ldaps://ipasrv2-io.ipadomain.com >ldap_sudo_search_base = ou=sudoers,dc=ipadomain,dc=com >ldap_sasl_mech = GSSAPI >ldap_sasl_authid = host/ipaclient1.ipadomain.com >ldap_sasl_realm = ipadomain.COM >krb5_server =ipasrv2-corp.ipadomain.com, ipasrv1-xo.ipadomain.com, >ipasrv1-io.ipadomain.com, ipasrv1-corp.ipadomain.com, >ipasrv2-xo.ipadomain.com, ipasrv2-io.ipadomain.com > >[sssd] >services = nss, pam, sudo, ssh > >[sudo] > > >Restart sssd service > >I know that libsss_sudo is now included as part of another package and read >that you need sssd-common which I tried installing to no avail as well. I had >been told that despite the man pages on sssd I needed to specify the servers >in ldap_uri (and I assume krb5_server) as it would not use SRV records but am >not sure that is correct. > >Questions: >1) What are the steps to get sudo working with sssd on an existing, newly >patched (to rhel6.6) system Configuration from rhel 6.5 shoudl work also on rhel 6.6
But rhel 6.6 can work also with sudo_provider = ipa In this case sssd configuration is easier. You cna find details in manual page man sssd-sudo. >2) Are the steps any different for a new system (i.e. I read it is "seamless" >but I guess we still have to manually edit files?) On rhel6.6 ipa-client-install should configure sudo unless you executed ipa-client-install with --no-sudo >3) Does sssd in Rhel6.6 support SRV lookup for the ldap_uri and krb5_server >and do we have to specify the ldap_sasl_authid with the client hostname Yes, it does. man sssd.ldap -> SERVICE DISCOVERY If you use sudo_provider=ipa then you will not need to configure all ldap_* krb5_* options on your own. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
