On (08/04/15 09:25), Chamambo Martin wrote: >Good day > >I am running FreeIPA, version: 4.1.0 and everything is working well except >SUDO configuration. > ipa-client-install on CentOS 7.1 should configure sudo by default.
>I have 3 questions > > 1: I have configured the bare minimum sudo configuration without >hostgroups and netgroups , just sudo commands and sudo command groups that >have been added as sudo rules .....this should work right yes. and sudo rules with netgroups shuld work on CentOS 7.1 as well because nisdomainname should be configured. > 2: I have centos 6.6 and redhat 6.6 clients using the sssd >service ,is that enough for sudo to work if the configs are as below > > >cat /etc/nsswitch.conf > >sudoers: files sss > >cat /etc/sssd/sssd.conf > >[domain/ai.co.zw] > >debug_level=6 >cache_credentials = True >krb5_store_password_if_offline = True >ipa_domain = ai.co.zw >id_provider = ipa >auth_provider = ipa >access_provider = ipa >ipa_hostname = ironhide.ai.co.zw >chpass_provider = ipa >ipa_server = _srv_, cyclops.ai.co.zw >ldap_tls_cacert = /etc/ipa/ca.crt > >[sssd] >services = nss, sudo, pam, ssh >config_file_version = 2 > > >domains = ai.co.zw >[nss] >homedir_substring = /home The default value of this option is "/home" You can remove it. Where did you find it? > >[pam] > >[sudo] > >[autofs] > >[ssh] > If you do not use netgroups (or hostgroups) in sudo rules then this configuration should work on rhel 6.6 (sssd >= 1.10) The same steps are decribed in manual page sssd-sudo. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project