On 02/13/2014 06:04 PM, Steve Dainard wrote:
I don't think this is an issue of bugs or documentation, more of
design. Perhaps there's someplace other than a users list this belongs
in but:
If IPA is a centrally managed identity and access control system,
should these configurations not be passed to clients, rather than
every client needing configuration changes post join? Obviously I can
automate config changes, but why would I want to? I don't think
sudoers priv is a fringe case, its pretty much THE case for
access/admin control. I cringe to compare to a Windows domain, but I
don't have to manually tell a domain client that it should respect the
rules I set on a domain controller, I joined it to the domain for this
reason.
Maybe you're working towards this, but in the meantime it would be
great if the options existed in the config files so we immediately
know what options are available and can comment/uncomment them rather
than searching around man pages for options that might exist.
I believe you were looking for a documentation bug:
# man sssd-sudo
To enable SSSD as a source for sudo rules, *add sss to the
sudoers entry* in nsswitch.conf(5).
For example, to configure sudo to first lookup rules in the
standard sudoers(5) file (which
should contain rules that apply to local users) and then in
SSSD, the nsswitch.conf file
should contain the following line:
* sudoers: files sss*
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#nisplusUse NIS+ (NIS version 3)
#nisUse NIS (NIS version 2), also called YP
#dnsUse DNS (Domain Name Service)
#filesUse the local files
#dbUse the local database (.db) files
#compatUse NIS on compat mode
#hesiodUse Hesiod for user lookups
#[NOTFOUND=return]Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files sss
shadow: files sss
group: files sss
#initgroups: files
#hosts: db files nisplus nis dns
hosts: files mdns4_minimal [NOTFOUND=return] dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
Entry does not exist.
*Steve Dainard *
IT Infrastructure Manager
Miovision <http://miovision.com/> | /Rethink Traffic/
*Blog <http://miovision.com/blog> | **LinkedIn
<https://www.linkedin.com/company/miovision-technologies> | Twitter
<https://twitter.com/miovision> | Facebook
<https://www.facebook.com/miovision>*
------------------------------------------------------------------------
Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener,
ON, Canada | N2C 1L3
This e-mail may contain information that is privileged or
confidential. If you are not the intended recipient, please delete the
e-mail and any attachments and notify us immediately.
On Thu, Feb 13, 2014 at 5:15 PM, Jakub Hrozek <jhro...@redhat.com
<mailto:jhro...@redhat.com>> wrote:
On Thu, Feb 13, 2014 at 03:05:07PM -0500, Steve Dainard wrote:
> Is this server or client side where sudo_provider=ipa is
included in ver >
> 1.11.x?
Client side (sssd)
>
> My fedora 20 client doesn't have this option listed, or is it
baked in?
>
Where exactly do you see the documentation lacking, perhaps the
sssd-ipa
man page, or the sssd-sudo man page? I agree that docs are important,
but my view might be skewed because I know the internals..
All that should be required with 1.9.6 or 1.11.x is:
sudo_provider=ipa
And enabling the 'sss' module in /etc/nsswitch.conf:
sudoers: files sss
That's it. Please let us know if you find any bugs in code or docs.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Managing configuration files is outside of scope of IPA or SSSD. We
looked at this at the beginning of the IPA project a got a push back
from administrators who are used to control their Linux infra via
Puppet, Checf and similar means. We are also working on the OpenLMI
provider for SSSD this would allow to introspect and potentially
configure SSSD from the central console, may be even from IPA. But this
is future.
For now the expectation is that some configuration needs to be done
manually or via some scripting. This is how things have always been.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
