Thank you both. I was able to get this working by just adding the sudo_provider = ipa to sssd.conf. I removed all the ldap_uri and krb5_server lines to keep the file tidier. I had read service discovery works with sssd but was told by Redhat support it does not. I am happy to hear it does as it is much easier to maintain.
Thanks again. --------------------------------------------_ On Wed, 12/3/14, Lukas Slebodnik <[email protected]> wrote: Subject: Re: [Freeipa-users] sudo utilizing sssd rhel6.6 To: "sipazzo" <[email protected]> Cc: [email protected] Date: Wednesday, December 3, 2014, 7:38 AM On (03/12/14 06:05), sipazzo wrote: >Good morning, I have a fairly new ipa domain (server version 3.0.0-42 and clients mixed 3.0.0-37 and 3.0.0-42) set up with a mix of rhel6, rhel5 and solaris. It seemed like my sudo config using sssd in rhel6.5 was working and then we patched to 6.6 and it is broken. I had followed these setup instructions previously: > >yum install -y libsss_sudo > >Added to /etc/nsswitch.conf > >sudoers: sss files > >Add nisdomainname: > >nisdomainname ipadomain.com >echo "NISDOMAIN=ipadomain.com" >> /etc/sysconfig/network > >Added the following to /etc/sssd/sssd.conf (is all this really necessary?) > >[domain/ipadomain.com] >………. > >sudo_provider = ldap >ldap_uri = ldaps://ipasrv2-corp.ipadomain.com, ldaps://ipasrv1-xo.ipadomain.com, ldaps://ipasrv1-io.ipadomain.com, ldaps://ipasrv1-corp.ipadomain.com, ldaps://ipasrv2-xo.ipadomain.com, ldaps://ipasrv2-io.ipadomain.com >ldap_sudo_search_base = ou=sudoers,dc=ipadomain,dc=com >ldap_sasl_mech = GSSAPI >ldap_sasl_authid = host/ipaclient1.ipadomain.com >ldap_sasl_realm = ipadomain.COM >krb5_server =ipasrv2-corp.ipadomain.com, ipasrv1-xo.ipadomain.com, ipasrv1-io.ipadomain.com, ipasrv1-corp.ipadomain.com, ipasrv2-xo.ipadomain.com, ipasrv2-io.ipadomain.com > >[sssd] >services = nss, pam, sudo, ssh > >[sudo] > > >Restart sssd service > >I know that libsss_sudo is now included as part of another package and read that you need sssd-common which I tried installing to no avail as well. I had been told that despite the man pages on sssd I needed to specify the servers in ldap_uri (and I assume krb5_server) as it would not use SRV records but am not sure that is correct. > >Questions: >1) What are the steps to get sudo working with sssd on an existing, newly patched (to rhel6.6) system Configuration from rhel 6.5 shoudl work also on rhel 6.6 But rhel 6.6 can work also with sudo_provider = ipa In this case sssd configuration is easier. You cna find details in manual page man sssd-sudo. >2) Are the steps any different for a new system (i.e. I read it is "seamless" but I guess we still have to manually edit files?) On rhel6.6 ipa-client-install should configure sudo unless you executed ipa-client-install with --no-sudo >3) Does sssd in Rhel6.6 support SRV lookup for the ldap_uri and krb5_server and do we have to specify the ldap_sasl_authid with the client hostname Yes, it does. man sssd.ldap -> SERVICE DISCOVERY If you use sudo_provider=ipa then you will not need to configure all ldap_* krb5_* options on your own. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
