I wanted to follow up on this. Since sudo needs to be added to sssd.conf and nsswitch.conf. Is it possible to add the options via ipa-client-install? I can do the same with chef but this seems like something that should be done with ipa?
Thank You On Thu, Mar 24, 2016 at 4:51 PM, Christophe TREFOIS < christophe.tref...@uni.lu> wrote: > Hi, > > > > Are you not missing “sudo” in [sssd] and did you restard the services on > the machine? We found quite a significant cache, which sometimes lead to > asking passwords. > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html > > > > You might even have to delete /var/lib/sss/db/ contents and restart sssd. > > > > Best, > > > > *From:* freeipa-users-boun...@redhat.com [mailto: > freeipa-users-boun...@redhat.com] *On Behalf Of *Ash Alam > *Sent:* jeudi 24 mars 2016 19:50 > *To:* Jakub Hrozek <jhro...@redhat.com> > *Cc:* freeipa-users@redhat.com > *Subject:* Re: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd > > > > Based on (How to troubleshoot Sudo) > > > > - Maybe i miss spoke when i said it fails completely. Rather it keeps > asking for the users password which it does not accept. > > - I do not have sudo in sssd.conf > > - I do not have sudoers: sss defined in nsswitch.conf > > - Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if > these needs to be defined > > - If this is the case then adding them might resolve my issues. > > - for the special sudo rule(s). is there any way to track it via the gui? > I am trying to keep track of all the configs so its not a blackhole for the > next person. > > > > - This is what it looks like on the web gui > > [image: Inline image 1] > > > > > > - This is what a clients sssd.conf looks like > > [domain/xxxxx] > > > > cache_credentials = True > > krb5_store_password_if_offline = True > > ipa_domain = pp > > id_provider = ipa > > auth_provider = ipa > > access_provider = ipa > > ipa_hostname = xxxxxx > > chpass_provider = ipa > > ipa_server = _srv_, xxxxx > > ldap_tls_cacert = /etc/ipa/ca.crt > > [sssd] > > services = nss, pam, ssh > > config_file_version = 2 > > > > domains = XXXXX > > [nss] > > homedir_substring = /home > > > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > > > > On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > > > > On 24 Mar 2016, at 17:21, Ash Alam <aa...@paperlesspost.com> wrote: > > > > Hello > > > > I am looking for some guidance on how to properly do sudo with Freeipa. > I have read up on what i need to do but i cant seem to get to work > correctly. Now with sudoers.d i can accomplish this fairly quickly. > > > > Example: > > > > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client > > > > What i have configured in Freeipa Sudo Rules: > > > > Sudo Option: !authenticate > > Who: dev (group) > > Access this host: testing (group) > > Run Commands: set of commands that are defined. > > > > Now when i apply this, it still does not work as it asks for a password > for the user and then fails. I am hoping to allow a group to only run > certain commands without requiring password. > > > > You should first find out why sudo fails completely. We have this guide > that should help you: > https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO > > About asking for passwords -- defining a special sudo rule called > 'defaults' and then adding '!authenticate' should help: > Add a special Sudo rule for default Sudo server configuration: > ipa sudorule-add defaults > > Set a default Sudo option: > ipa sudorule-add-option defaults --sudooption '!authenticate' > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project