Thanks Callum for your advice so far, I am now able to login to the client via the FreeIPA server authentication.
I am having trouble getting sudo access working properly. I have followed the guide you mentioned but I still cannot sudo into the client. I have opened up
everything under the created “sudo rule” but I am still not able to log in with sudo priviledges.
So, as a test I have selected these commands within the “sudo rules” but no success here.
Who – Anyone
Access this host – Anyhost
Run Commands – Any Command
*From the command line*
[root@ipa ~]# ipa sudorule-show sudo
Rule name: sudo
Enabled: TRUE
User category: all
Host category: all
Command category: all
RunAs User category: all
RunAs Group category: all
Sudo Option: !authenticate
Would be grateful for some advice, I am missing something here.
Regards
*Patrick McHale*
*Network and Systems Administrator*
*Infrastructure team*
*NZX REGULATED INFRASTRUCTURE & OPERATIONS*
*NZX Limited* Level 1, NZX Centre, 11 Cable Street
PO Box 2959 Wellington 6140
New Zealand
DDI: +64 4 495 2884
Mobile: +64 27 405 8340
www.nzx.com
[image: https://nzx.com/files/static/email_signatures/nzx-logo-email.png]
Hi Patrick,
Firstly lets look at the sudo issue - I think you just need to add a second sudo option to block the requirement for TTY:
Rule name: full_control Description: Allow full command access on all hosts Enabled: TRUE Host category: all Command category: all RunAs User category: all Sudo order: 2 Users: ... User Groups: ... Sudo Option: !authenticate, !requiretty
That should move that one along, fingers crossed its that simple!
Home directory creation - this one is controlled by a file /etc/sysconfig/authconfig. You can enable the setting from the command line and you'll notice a service "oddjob" which runs for this purpose. Here's the command to get it going (feel free to read the man page for confirmation):
$ authconfig --enablemkhomedir --update
Finally you mentioned issues with NTP - during client install you might have noticed a warning about this - in fact my notes say its the first thing it prints out if chrony is running. There is an installer option "--force-ntpd" which will nuke chrony and push the configuration but at this point you should probably go ahead and remove chrony manually, install ntp and point it at your server instance. Note that yopu'll obviously need to get the server instance running NTP and configured first. There are plenty of articles online for that and its advisable to do a little research to strengthen your configuration.
Hopefully that gets you to level 3!
Callum
On Wed, Jul 12, 2017 at 4:24 AM Patrick McHale via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Thanks Callum for your advice so far, I am now able to login to the client via the FreeIPA server authentication.
I am having trouble getting sudo access working properly. I have followed the guide you mentioned but I still cannot sudo into the client. I have opened up
everything under the created “sudo rule” but I am still not able to log in with sudo priviledges.
So, as a test I have selected these commands within the “sudo rules” but no success here.
Who – Anyone
Access this host – Anyhost
Run Commands – Any Command
*From the command line*
[root@ipa ~]# ipa sudorule-show sudo
Rule name: sudo
Enabled: TRUE
User category: all
Host category: all
Command category: all
RunAs User category: all
RunAs Group category: all
Sudo Option: !authenticate
Would be grateful for some advice, I am missing something here.
Regards
*Patrick McHale*
*Network and Systems Administrator*
*Infrastructure team*
*NZX REGULATED INFRASTRUCTURE & OPERATIONS*
*NZX Limited* Level 1, NZX Centre, 11 Cable Street
PO Box 2959 Wellington 6140
New Zealand
DDI: +64 4 495 2884 <+64%204-495%202884>
Mobile: +64 27 405 8340
www.nzx.com
[image: https://nzx.com/files/static/email_signatures/nzx-logo-email.png]
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org