0014002: sudo rules on IPA client not works without sudo_provider = ipa - CentOS Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0014002	CentOS-7	ipa	public	2017-10-11 09:57	2020-04-22 18:01

Reporter	romale
Priority	normal	Severity	major	Reproducibility	always
Status	new	Resolution	open
Platform	x86_	OS		OS Version
Product Version	7.4.1708
Target Version		Fixed in Version

Summary	0014002: sudo rules on IPA client not works without sudo_provider = ipa
Description	I've installed ipa-client and join this host to ipa server. On ipa server ri've configured sudo rules etc, but it's not worked without writing sudo_provider = ipa option to /etc/sssd/sssd.conf Not worked config: cat /etc/sssd/sssd.conf [domain/mydomain.ru] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.ru id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = mail.mydomain.ru chpass_provider = ipa ipa_server = _srv_, ipa01.mydomain.ru ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh domains = belozersky.msu.ru [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] Worked config: cat /etc/sssd/sssd.conf [domain/mydomain.ru] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.ru id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = mail.mydomain.ru chpass_provider = ipa ipa_server = _srv_, ipa01.mydomain.ru ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ipa [sssd] services = nss, sudo, pam, ssh domains = belozersky.msu.ru [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp]
Tags	No tags attached.

abrt_hash
URL

jmidyette 2020-04-22 18:01 reporter ~0036751	This bug needs to be pushed upstream as the problem is 3 years old and still exists. This would be a very simple modification to the install scripts in the package(s) to modify the config file to add the line that specifies FreeIPA as the provider when performing a freeipa-client installation on a target system. In the meantime, I am adding this fix for anyone who comes across this page, because fixing bugs and resulting issues is critical to ensuring the stability and reliability of any piece of software. Sed command that can be used in a shell script/Ansible playbook: sed '14 a sudo_provider = ipa' /etc/sssd/sssd.conf Explanation - sed '14 a sudo_provider = ipa' /etc/sssd/sssd.conf = after line 14 of the file '/etc/sssd/sssd.conf', add "sudo_provider = ipa" The regular expression passed through sed should be modified if the line number is different in your sssd.conf.

Date Modified	Username	Field	Change
2017-10-11 09:57	romale	New Issue
2020-04-22 18:01	jmidyette	Note Added: 0036751