I should clarify. I was just following the fedora/ipa docs. My Ipa servers are Centos 7.2 and Ipa 4.2. Clients are Centos 6.6 and 3.0.0
$ rpm -q sssd ipa-client sssd-1.11.6-30.el6_6.3.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 On Thu, Mar 24, 2016 at 3:04 PM, Rob Crittenden <[email protected]> wrote: > Ash Alam wrote: > >> Based on (How to troubleshoot Sudo) >> >> - Maybe i miss spoke when i said it fails completely. Rather it keeps >> asking for the users password which it does not accept. >> - I do not have sudo in sssd.conf >> - I do not have sudoers: sss defined in nsswitch.conf >> - Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if >> these needs to be defined >> - If this is the case then adding them might resolve my issues. >> - for the special sudo rule(s). is there any way to track it via the >> gui? I am trying to keep track of all the configs so its not a blackhole >> for the next person. >> > > It would help to know the release of Fedora you're using, the rpm version > of ipa-client and sssd. > > If you are using Fedora freeipa docs they are extremely old, at best F-18. > Use the RHEL docs. > > rob > > >> - This is what it looks like on the web gui >> Inline image 1 >> >> >> - This is what a clients sssd.conf looks like >> [domain/xxxxx] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = pp >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = xxxxxx >> chpass_provider = ipa >> ipa_server = _srv_, xxxxx >> ldap_tls_cacert = /etc/ipa/ca.crt >> [sssd] >> services = nss, pam, ssh >> config_file_version = 2 >> >> domains = XXXXX >> [nss] >> homedir_substring = /home >> >> [pam] >> [sudo] >> [autofs] >> [ssh] >> [pac] >> [ifp] >> >> On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek <[email protected] >> <mailto:[email protected]>> wrote: >> >> >> > On 24 Mar 2016, at 17:21, Ash Alam <[email protected] >> <mailto:[email protected]>> wrote: >> > >> > Hello >> > >> > I am looking for some guidance on how to properly do sudo with >> Freeipa. I have read up on what i need to do but i cant seem to get to work >> correctly. Now with sudoers.d i can accomplish this fairly quickly. >> > >> > Example: >> > >> > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client >> > >> > What i have configured in Freeipa Sudo Rules: >> > >> > Sudo Option: !authenticate >> > Who: dev (group) >> > Access this host: testing (group) >> > Run Commands: set of commands that are defined. >> > >> > Now when i apply this, it still does not work as it asks for a >> password for the user and then fails. I am hoping to allow a group to only >> run certain commands without requiring password. >> > >> >> You should first find out why sudo fails completely. We have this >> guide that should help you: >> https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO >> >> About asking for passwords -- defining a special sudo rule called >> 'defaults' and then adding '!authenticate' should help: >> Add a special Sudo rule for default Sudo server configuration: >> ipa sudorule-add defaults >> >> Set a default Sudo option: >> ipa sudorule-add-option defaults --sudooption '!authenticate' >> >> >> >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
