On Tue, Apr 07, 2015 at 11:58:35AM +0200, Chamambo Martin wrote: > I have deployed FreeIPA on RedHat 7 and everything is working perfectly fine > except when I try to configure SUDO. All my clients are all centos 6 and > RedHat 6 clients and have the below config . I have followed every how-to > and I just can't seem to get it.I have configured the sudo commands and > rules mostly for reading files /usr/bin/vim and /usr/bin/less for reading > log files > > > > /etc/nssswitch > > > > sudoers: files sss > > > > cat /etc/sssd/sssd.conf > > > > > > [root@nemo ~]# cat /etc/sssd/sssd.conf > > [domain/default]
it is really strange that you have a domain called default (that's the name authconfig normally uses) set to ldap provider. Where does this come from, did you add it manually? This really sounds wrong and I would suggest to remove this domain, but I'd also like to know why did you add it in the first place? > > > > autofs_provider = ldap > > cache_credentials = True > > krb5_realm = XX.XX.XX > > krb5_server = XX.XX.XX.XX:88 > > id_provider = ldap > > auth_provider = ldap > > chpass_provider = ldap > > ldap_id_use_start_tls = False > > ldap_tls_cacertdir = /etc/openldap/cacerts > > [domain/ai.co.zw] > > > > debug_level = 0x07F0 > > cache_credentials = True > > krb5_store_password_if_offline = True > > ipa_domain = ai.co.zw > > id_provider = ipa > > auth_provider = ipa > > access_provider = ipa > > ipa_hostname = XX.XX.XX.XX > > chpass_provider = ipa > > ipa_server = _srv_, XX.XX.XX.XX > > ldap_tls_cacert = /etc/ipa/ca.crt What RHEL/CentOS version are you running in particular? Starting with 6.6, it should be enough to do: sudo_provider = ipa > > > > [sssd] > > services = nss, sudo, pam, autofs, ssh > > config_file_version = 2 > > > > domains = default, XX.XX.XX > > [nss] > > > > homedir_substring = /home > > > > [pam] > > > > [sudo] > > > > [autofs] > > > > [ssh] > > > > [pac] > > > > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project