Hi
I have an ipa server version 4.5 with one ipa replica and one ipa client, all on CentOS 7. I need to manage anythings about sudoers on ipa server so I decided to use externaluser in sudo rules, such as below:
# ipa sudorule-show behnam Rule name: behnam Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all External User: behnam Sudo Option: !authenticate
but when I check sudo in client system, it returns that behnam may not run sudo.
[behnam@***** ~]$ sudo -l [sudo] password for behnam: Sorry, user behnam may not run sudo on *****
Hello!
For sssd to pull sudo rules for external (local) users you will have to add a proxy domain into the /etc/sssd/sssd.conf, so sssd will know to go out to the ipa servers for the external sudo rules. While this works it is still recommended to use local sudoers for local users.
1) Add proxy domain to /etc/sssd/sssd.conf.
[domain/proxy] <----------------------- Define this section(proxy domain) id_provider = proxy proxy_lib_name = files proxy_pam_target = system-auth-ac sudo_provider = ldap <----------------- This could be 'ipa' as well ldap_uri = ldaps://rhel7-ipa-2.example.com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_tls_cacert = /etc/ipa/ca.crt
2) Add domain to "domains" line in the [sssd] section
domains = example.com, proxy <------- Add a 'proxy' domain here
3) restart sssd.
I used this article to setup mine. https://access.redhat.com/solutions/2347541
Thanks a lot. It works like a charm
On Sun, Oct 1, 2017 at 5:47 PM, Aaron Cole via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hello!
For sssd to pull sudo rules for external (local) users you will have to add a proxy domain into the /etc/sssd/sssd.conf, so sssd will know to go out to the ipa servers for the external sudo rules. While this works it is still recommended to use local sudoers for local users.
- Add proxy domain to /etc/sssd/sssd.conf.
[domain/proxy] <----------------------- Define this section(proxy domain) id_provider = proxy proxy_lib_name = files proxy_pam_target = system-auth-ac sudo_provider = ldap <----------------- This could be 'ipa' as well ldap_uri = ldaps://rhel7-ipa-2.example.com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_tls_cacert = /etc/ipa/ca.crt
- Add domain to "domains" line in the [sssd] section
domains = example.com, proxy <------- Add a 'proxy' domain here
- restart sssd.
I used this article to setup mine. https://access.redhat.com/ solutions/2347541 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Aaron Cole -
Behnam Loghmani