View Issue Details

IDProjectCategoryView StatusLast Update
0014002CentOS-7ipapublic2020-04-22 18:01
Reporterromale 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Platformx86_OSOS Version
Product Version7.4.1708 
Target VersionFixed in Version 
Summary0014002: sudo rules on IPA client not works without sudo_provider = ipa
DescriptionI've installed ipa-client and join this host to ipa server.
On ipa server ri've configured sudo rules etc, but it's not worked without writing sudo_provider = ipa option to /etc/sssd/sssd.conf

Not worked config:
cat /etc/sssd/sssd.conf
[domain/mydomain.ru]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.ru
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = mail.mydomain.ru
chpass_provider = ipa
ipa_server = _srv_, ipa01.mydomain.ru
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh

domains = belozersky.msu.ru
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

Worked config:
cat /etc/sssd/sssd.conf
[domain/mydomain.ru]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.ru
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = mail.mydomain.ru
chpass_provider = ipa
ipa_server = _srv_, ipa01.mydomain.ru
ldap_tls_cacert = /etc/ipa/ca.crt
sudo_provider = ipa
[sssd]
services = nss, sudo, pam, ssh

domains = belozersky.msu.ru
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]
TagsNo tags attached.
abrt_hash
URL

Activities

jmidyette

jmidyette

2020-04-22 18:01

reporter   ~0036751

This bug needs to be pushed upstream as the problem is 3 years old and still exists. This would be a very simple modification to the install scripts in the package(s) to modify the config file to add the line that specifies FreeIPA as the provider when performing a freeipa-client installation on a target system. In the meantime, I am adding this fix for anyone who comes across this page, because fixing bugs and resulting issues is critical to ensuring the stability and reliability of any piece of software.

Sed command that can be used in a shell script/Ansible playbook:

sed '14 a sudo_provider = ipa' /etc/sssd/sssd.conf

Explanation - sed '14 a sudo_provider = ipa' /etc/sssd/sssd.conf = after line 14 of the file '/etc/sssd/sssd.conf', add "sudo_provider = ipa"

The regular expression passed through sed should be modified if the line number is different in your sssd.conf.

Issue History

Date Modified Username Field Change
2017-10-11 09:57 romale New Issue
2020-04-22 18:01 jmidyette Note Added: 0036751