I have been working on configuring SSSD to handle sudo natively in Fedora 17.
Here are the versions of things: sssd-1.8.3-11.fc17.x86_64 sudo-1.8.3p1-7.fc17.x86_64
This is running against a RHEL 6.2 IPA server: ipa-server-2.1.3-9.el6.x86_64
I have been using these two sources of information: https://fedoraproject.org/wiki/Features/SSSDSudoIntegration http://jhrozek.livejournal.com/2065.html (Thanks for the write up)
The bit that seems to hang for me is when it comes to the ldap_sudo_search_base, the blog doesn't state explicitly that it should go in the domain section of sssd.conf, but the feature page does, so I drop it in there, after a restart even simple lookups via getent passwd won't work any more, remove it, restart sssd, things work fine. I suppose I should mention that my test system has been working fine as an IPA client up until I start messing with the sudo bit.
The line I am trying to put into the domains section is the following: ldap_sudo_search_base = "ou=SUDOers,dc=foo,dc=com"
Any thoughts?
-Erinn
On Tue, 2012-05-29 at 09:00 -0800, Erinn Looney-Triggs wrote:
I have been working on configuring SSSD to handle sudo natively in Fedora 17.
Here are the versions of things: sssd-1.8.3-11.fc17.x86_64 sudo-1.8.3p1-7.fc17.x86_64
This is running against a RHEL 6.2 IPA server: ipa-server-2.1.3-9.el6.x86_64
I have been using these two sources of information: https://fedoraproject.org/wiki/Features/SSSDSudoIntegration http://jhrozek.livejournal.com/2065.html (Thanks for the write up)
The bit that seems to hang for me is when it comes to the ldap_sudo_search_base, the blog doesn't state explicitly that it should go in the domain section of sssd.conf, but the feature page does, so I drop it in there, after a restart even simple lookups via getent passwd won't work any more, remove it, restart sssd, things work fine. I suppose I should mention that my test system has been working fine as an IPA client up until I start messing with the sudo bit.
The line I am trying to put into the domains section is the following: ldap_sudo_search_base = "ou=SUDOers,dc=foo,dc=com"
Remove the quotes. That's probably breaking the parser, which in turn causes SSSD to fail to start properly.
On 05/29/2012 09:55 AM, Stephen Gallagher wrote:
On Tue, 2012-05-29 at 09:00 -0800, Erinn Looney-Triggs wrote:
I have been working on configuring SSSD to handle sudo natively in Fedora 17.
Here are the versions of things: sssd-1.8.3-11.fc17.x86_64 sudo-1.8.3p1-7.fc17.x86_64
This is running against a RHEL 6.2 IPA server: ipa-server-2.1.3-9.el6.x86_64
I have been using these two sources of information: https://fedoraproject.org/wiki/Features/SSSDSudoIntegration http://jhrozek.livejournal.com/2065.html (Thanks for the write up)
The bit that seems to hang for me is when it comes to the ldap_sudo_search_base, the blog doesn't state explicitly that it should go in the domain section of sssd.conf, but the feature page does, so I drop it in there, after a restart even simple lookups via getent passwd won't work any more, remove it, restart sssd, things work fine. I suppose I should mention that my test system has been working fine as an IPA client up until I start messing with the sudo bit.
The line I am trying to put into the domains section is the following: ldap_sudo_search_base = "ou=SUDOers,dc=foo,dc=com"
Remove the quotes. That's probably breaking the parser, which in turn causes SSSD to fail to start properly.
Thanks, that did the trick. I will have to let Jakub know to remove the quotes in the blog post.
-Erinn
On Tue, May 29, 2012 at 10:02:47AM -0800, Erinn Looney-Triggs wrote:
On 05/29/2012 09:55 AM, Stephen Gallagher wrote:
On Tue, 2012-05-29 at 09:00 -0800, Erinn Looney-Triggs wrote:
I have been working on configuring SSSD to handle sudo natively in Fedora 17.
Here are the versions of things: sssd-1.8.3-11.fc17.x86_64 sudo-1.8.3p1-7.fc17.x86_64
This is running against a RHEL 6.2 IPA server: ipa-server-2.1.3-9.el6.x86_64
I have been using these two sources of information: https://fedoraproject.org/wiki/Features/SSSDSudoIntegration http://jhrozek.livejournal.com/2065.html (Thanks for the write up)
The bit that seems to hang for me is when it comes to the ldap_sudo_search_base, the blog doesn't state explicitly that it should go in the domain section of sssd.conf, but the feature page does, so I drop it in there, after a restart even simple lookups via getent passwd won't work any more, remove it, restart sssd, things work fine. I suppose I should mention that my test system has been working fine as an IPA client up until I start messing with the sudo bit.
The line I am trying to put into the domains section is the following: ldap_sudo_search_base = "ou=SUDOers,dc=foo,dc=com"
Remove the quotes. That's probably breaking the parser, which in turn causes SSSD to fail to start properly.
Thanks, that did the trick. I will have to let Jakub know to remove the quotes in the blog post.
Thank you, fixed.
On Tue, May 29, 2012 at 09:00:36AM -0800, Erinn Looney-Triggs wrote:
The bit that seems to hang for me is when it comes to the ldap_sudo_search_base, the blog doesn't state explicitly that it should go in the domain section of sssd.conf, but the feature page does
I've seen other users trip over this, just that time it was ldap_autofs_search_base. I thought it was natural to put the search base in the domain section, do you feel we should improve the documentation somewhat and state it more explicitly that even the application-specific search bases go to the domain section?
On 05/29/2012 11:01 AM, Jakub Hrozek wrote:
On Tue, May 29, 2012 at 09:00:36AM -0800, Erinn Looney-Triggs wrote:
The bit that seems to hang for me is when it comes to the ldap_sudo_search_base, the blog doesn't state explicitly that it should go in the domain section of sssd.conf, but the feature page does
I've seen other users trip over this, just that time it was ldap_autofs_search_base. I thought it was natural to put the search base in the domain section, do you feel we should improve the documentation somewhat and state it more explicitly that even the application-specific search bases go to the domain section?
I suspect we are talking about two different classes of users, those who want it just to work (by following the instructions), and those who have a larger understanding of things. When it comes to SSSD I am probably somewhere between those two. it "seemed" like it should go in the domain section but because it wasn't working (the quoting issue), and because there was a discrepancy between the blog and the feature page, I couldn't figure out if the location of the statement was the issue.
For most folks who just want it to work more explicit is the answer, yeah it seems like it should go in the domain section though. And if I had a dollar for every time I did something on a computer that seemed like it should work and then didn't, well I would probably be sending this e-mail from my beach villa, or not at all :).
-Erinn
sssd-users@lists.fedorahosted.org