[Freeipa-users] Freeipa and sudo

Tomas Simecek simecek.tomas at gmail.com
Mon Jul 4 07:50:04 UTC 2016


Dear freeipa users/admins,
I'm trying to implement freeipa in our company, so that our Unix admins can
authenticate on Linux servers using their Windows AD account.
Following this guide
https://www.freeipa.org/page/Active_Directory_trust_setup it seems to work
well, they can login without problems.
What I cannot make working is sudo from their AD accounts on Linux.

No matter what I try, it is still:

sudo systemctl restart httpd
[sudo] password for simecek.tomas at sd-stc.cz:
Sorry, try again.

Here's our setup:
Freeipa server: CentOS Linux release 7.2.1511 (Core),
ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
Freeipa client: the same

AD domain name: sd-stc.cz
IPA domain: linuxdomain.cz

When digging in logs and googling, I realized that the problem on client
side could be:

[root at spcss-2t-www ~]# kinit -k
kinit: Cannot determine realm for host (principal host/spcss-2t-www@)

But this seems to work:
[root at spcss-2t-www ~]# kinit simecek.tomas at SD-STC.CZ
Password for simecek.tomas at SD-STC.CZ:
[root at spcss-2t-www ~]# klist
Default principal: simecek.tomas at SD-STC.CZ

Valid starting       Expires              Service principal
07/04/2016 09:36:26  07/04/2016 19:36:26  krbtgt/SD-STC.CZ at SD-STC.CZ
        renew until 07/05/2016 09:36:23

My /etc/sssd/sssd.conf:
[domain/linuxdomain.cz]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linuxdomain.cz
krb5_realm = LINUXDOMAIN.CZ
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = spcss-2t-www.linuxdomain.cz
chpass_provider = ipa
ipa_server = svlxxipap.linuxdomain.cz
ldap_tls_cacert = /etc/ipa/ca.crt
override_shell = /bin/bash
sudo_provider = ldap
ldap_uri = ldap://svlxxipap.linuxdomain.cz
ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/spcss-2t-www.linuxdomain.cz at LINUXDOMAIN.CZ
ldap_sasl_realm = LINUXDOMAIN.CZ
krb5_server = svlxxipap.linuxdomain.cz

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2

domains = linuxdomain.cz
[nss]
homedir_substring = /home
....

My /etc/krb5.conf:
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = LINUXDOMAIN.CZ
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  LINUXDOMAIN.CZ = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }


[domain_realm]
  .linuxdomain.cz = LINUXDOMAIN.CZ
  linuxdomain.cz = LINUXDOMAIN.CZ

Would you please suggest which way to investigate?

Thanks

Tomas Simecek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160704/4aac899c/attachment.htm>


More information about the Freeipa-users mailing list