On Fri, 2015-01-02 at 15:19 +0000, Chris Card wrote: > I have existing machines running CentOS 6.3 which I want to include in > a freeipa domain. > > The domain controller machine is running Fedora 21 and > freeipa-server-4.1.1-2 while the latest version of ipa I can find that > runs on CentOS 6.3 is ipa-client-3.0.0-37.el6.x86_64. > > > I have successfully run ipa-client-install on the CentOS 6.3 client > and set up users who can ssh to the client using ssh-keys. > > > The problem is that I can't get sudo rules to work. I know that the > ipa client software version 3.0.0 doesn't automatically set up all the > configuration for sssd to control sudo access, but I have set up all > the configuration necessary manually: > > > On the client, /etc/nsswitch.conf has > > > sudoers files sss > > > /etc/sssd/sssd/conf has > > > [domain/default] > > > cache_credentials = True > krb5_realm = <REALM> > krb5_server = <ipa server>:88 > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > ldap_tls_cacertdir = /etc/openldap/cacerts > [domain/<domain>] > > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = <domain> > id_provider = ipa > auth_provider = ipa > access_provider = ipa > chpass_provider = ipa > ipa_dyndns_update = True > ipa_server = <ipa server> > ldap_tls_cacert = /etc/ipa/ca.crt > sudo_provider = ldap > ldap_uri = ldap://<ipa server> > ldap_sudo_search_base = ou=sudoers,<domain base dn> > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/<client fqdn> > ldap_sasl_realm = <REALM> > krb5_server = <ipa server> > debug_level = 9 > [sssd] > services = nss, pam, ssh, sudo > config_file_version = 2 > > > domains = <domain>, default > debug_level = 9 > [nss] > debug_level = 9 > > > [pam] > debug_level = 9 > > > [sudo] > debug_level = 9 > [autofs] > > > I have validated the ldap sasl configuration using ldapsearch, so I'm > sure they are correct. > > > The nisdomainname command returns the domain name. > > > The sudo rules are: > # ipa sudorule-find > -------------------- > 2 Sudo Rules matched > -------------------- > Rule name: sudo-host1 > Enabled: TRUE > Command category: all > RunAs User category: all > User Groups: host1-rw > Host Groups: host1 > Sudo Option: -authenticate > > > Rule name: sudo-host2 > Enabled: TRUE > User Groups: host2-rw > Host Groups: host2 > Sudo Option: -authenticate > ---------------------------- > Number of entries returned 2 > ---------------------------- > > > When a user in user group host1-rw sshs to a client in host group > host1 and runs "sudo su -" the user gets prompted for a password even > though the sudo option -authenticate is set. > I'm not convinced that sudo is even attempting to use sssd, but I'm > not sure how to confirm this. > > > I have seen some references to /etc/sudo-ldap.conf in online > discussions of similar issues. This file exists on my client, but > everything is commented out. Do I need to put the ldap client > configuration in /etc/sudo-ldap.conf as well as /etc/sssd/sssd.conf > for CentOS 6.3 clients? > > > Any ideas about how to work out what is failing? > > > Chris > try "!authenticate" (without the quotes), not "-authenticate" (again, no quotes).
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project