[Freeipa-devel] [PATCH 0157] ipa-client-install: Configure sudo to use SSSD as data source
Martin Kosek
mkosek at redhat.com
Mon Mar 24 13:57:30 UTC 2014
On 03/24/2014 02:47 PM, Jan Pazdziora wrote:
> On Mon, Mar 03, 2014 at 08:24:41PM +0100, Tomas Babej wrote:
>> Hi,
>>
>> Makes ipa-client-install configure SSSD as the data provider
>> for the sudo service by default. This behaviour can be disabled
>> by using --no-sudo flag.
>>
>> https://fedorahosted.org/freeipa/ticket/3358
>
> Ack.
>
> Applied against ipa-client-3.0.0-37.el6.x86_64, tried without
> --no-sudo and sudo was added to sssd.conf's services list and sudoeers
> added to /etc/nsswitch.conf.
>
> Rerun with --uninstall and run again with the --no-sudo parameter,
> those settings were not longer there.
>
Did you also do the functional test? To ack and push this ticket, following
scenario needs to work:
1) IPA clients enroll against IPA server without --no-sudo
2) IPA client user logs in, types "sudo -l", gets all allowed commands
(prerequisite is of course to have sudo commands defined on the IPA server)
3) IPA client reboots, IPA client user logs in, types "sudo -l", gets all
allowed commands
For 2) to work, NIS domain name must be set, nsswitch and SSSD changes must be done
For 3) to work, related systemd service preserving NIS domain name setting
needs to be enabled
Martin
More information about the Freeipa-devel
mailing list