mjedrzejewski
n00b
Joined: 10 Sep 2014
Posts: 2
|
 Posted: Tue Feb 10, 2015 2:40 pm Post subject: sudo from ldap using sssd |
 |
|
Hi,
I am trying to make sudo work with sssd and rules from LDAP. I have successfully configured such a setup on CentOS 6.6, but I fail to do the same on gentoo. As far as I know, sudo just ignores rules from sssd.
| Code: | tr linux # sudo -ll -U test
User test is not allowed to run sudo on tr.
|
sssd's debug log says that it successfully downloads and caches the rules.
Can anybody help with this?
The Archlinux wiki says that you need to enable sssd support in sudo. Yet:
| Code: | tr linux # eix sudo
[I] app-admin/sudo
Available versions: 1.8.11_p1 ~1.8.11_p2 ~1.8.12 {ldap nls offensive pam selinux +sendmail skey}
Installed versions: 1.8.11_p1(03:28:38 PM 02/10/2015)(ldap nls offensive pam sendmail -selinux -skey)
Homepage: http://www.sudo.ws/
Description: Allows users or groups to run commands as other users
|
You can't enable sssd support in sudo on gentoo.
EDIT: Digging deeper into the sssd issue, gentoo as seen above, doesn't have a sssd use flag, yet current sssd packages have -with-sssd configure option. So apparently that is a bug? How does one report it to the proper gentoo package maintainer?
Yes, I have "sudo" use flag on sssd.
my sssd.conf:
| Code: |
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = default
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
[domain/default]
ldap_tls_reqcert = never
auth_provider = ldap
ldap_schema = rfc2307bis
krb5_realm = EXAMPLE.COM
ldap_search_base = dc=jmdi,dc=pl
ldap_sudo_search_base = ou=SUDOers,o=Initrode org,dc=example,dc=com
#ldap_sudo_full_refresh_interval=3600
ldap_sudo_full_refresh_interval=60
ldap_sudo_smart_refresh_interval=10
id_provider = ldap
sudo_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
ldap_uri = ldaps://10.3.14.151
ldap_chpass_uri = ldaps://10.3.14.151
krb5_kdcip = kerberos.example.com
cache_credentials = true
entry_cache_timeout = 600
ldap_network_timeout = 3
ldap_access_filter = (&(objectclass=shadowaccount)(objectclass=posixaccount))
access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = allowedHosts
debug_level = 9
|
my nsswitch.conf:
| Code: |
passwd: compat sss
shadow: compat sss
group: compat sss
# passwd: db files nis
# shadow: db files nis
# group: db files nis
hosts: files dns
networks: files dns
services: db files sss
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files sss
bootparams: files
automount: files sss
aliases: files
sudoers: files sss
|
|
|
Networking & Security
