Discussion:
[Freeipa-users] EL5 sudo and IdM
Z D
2017-05-02 00:36:26 UTC
Permalink
Hi, we've been using the IdM server 4.4.0 but still have some EL5 (build system) we'd like to be ipa-clients. The ipa-client v2.1.3 has been installed, that works well.

And I believe that with EL5, there is no sssd support for sudo, hence it's configured via /etc/ldap.conf


The situation I see is that sudo rule is successful only when using ALL for hosts, the example of debug message is:

sudo: ldap sudoHost 'ALL' ... MATCH!


Otherwise, it doesn't work and the message is:

sudo: ldap sudoHost '+hostg_build' ... not


The "hostg_build" is IPA host group, and if I read "man sudoers.ldap" correctly, sudoHost expects host netgroup (prefixed with a '+').


Is there any resolution here?

thanks, Zarko
Rob Crittenden
2017-05-02 01:50:10 UTC
Permalink
Post by Z D
Hi, we've been using the IdM server 4.4.0 but still have some EL5 (build
system) we'd like to be ipa-clients. The ipa-client v2.1.3 has been
installed, that works well.
And I believe that with EL5, there is no sssd support for sudo, hence
it's configured via /etc/ldap.conf
The situation I see is that sudo rule is successful only when using ALL
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap sudoHost '+hostg_build' ... not
The "hostg_build" is IPA host group, and if I read "man sudoers.ldap"
correctly, sudoHost expects host netgroup (prefixed with a |'+'|).
A netgroup is created for every hostgroup automatically. Make sure you
have your NIS domain set and the netgroup is resolvable using getent
netgroup foo

rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Lukas Slebodnik
2017-05-02 08:19:51 UTC
Permalink
Post by Z D
Hi, we've been using the IdM server 4.4.0 but still have some EL5 (build system) we'd like to be ipa-clients. The ipa-client v2.1.3 has been installed, that works well.
And I believe that with EL5, there is no sssd support for sudo, hence it's configured via /etc/ldap.conf
A little bit offtopic.

If you meant el5 == CentOS 5 then I would recommend to upgrade to el6

CentOS Linux 5 has reached End of Life, as of 31 March 2017
http://centosfaq.org/centos-announce/centos-linux-5-eol/

LS
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...