Re: [Freeipa-users] EL5 sudo and IdM
On (02/05/17 00:36), Z D wrote: >Hi, we've been using the IdM server 4.4.0 but still have some EL5 (build >system) we'd like to be ipa-clients. The ipa-client v2.1.3 has been installed, >that works well. > >And I believe that with EL5, there is no sssd support for sudo, hence it's >configured via /etc/ldap.conf > A little bit offtopic. If you meant el5 == CentOS 5 then I would recommend to upgrade to el6 CentOS Linux 5 has reached End of Life, as of 31 March 2017 http://centosfaq.org/centos-announce/centos-linux-5-eol/ LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] EL5 sudo and IdM
Z D wrote: > Hi, we've been using the IdM server 4.4.0 but still have some EL5 (build > system) we'd like to be ipa-clients. The ipa-client v2.1.3 has been > installed, that works well. > > And I believe that with EL5, there is no sssd support for sudo, hence > it's configured via /etc/ldap.conf > > > The situation I see is that sudo rule is successful only when using ALL > for hosts, the example of debug message is: > > sudo: ldap sudoHost 'ALL' ... MATCH! > > > Otherwise, it doesn't work and the message is: > > sudo: ldap sudoHost '+hostg_build' ... not > > > The "hostg_build" is IPA host group, and if I read "man sudoers.ldap" > correctly, sudoHost expects host netgroup (prefixed with a |'+'|). A netgroup is created for every hostgroup automatically. Make sure you have your NIS domain set and the netgroup is resolvable using getent netgroup foo rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] EL5 sudo and IdM
Hi, we've been using the IdM server 4.4.0 but still have some EL5 (build system) we'd like to be ipa-clients. The ipa-client v2.1.3 has been installed, that works well. And I believe that with EL5, there is no sssd support for sudo, hence it's configured via /etc/ldap.conf The situation I see is that sudo rule is successful only when using ALL for hosts, the example of debug message is: sudo: ldap sudoHost 'ALL' ... MATCH! Otherwise, it doesn't work and the message is: sudo: ldap sudoHost '+hostg_build' ... not The "hostg_build" is IPA host group, and if I read "man sudoers.ldap" correctly, sudoHost expects host netgroup (prefixed with a '+'). Is there any resolution here? thanks, Zarko -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project