There should be a flag in ipa-client-install that would invoke setting up sudo configuration to use SSSD as a data source.
This involves: 1. put sudo into services in sssd.conf 2. put "sudoers: [files, ] sss" into /etc/nsswitch.conf 3. Configure client domainname in ipa-client-install (it is needed so that netgroups (i.e. IPA SUDO hostgroups) work).
This needs a little coordination with SSSD ticket: https://fedorahosted.org/sssd/ticket/1733
Currently there are more changes in sssd.conf that needs to be done in order to run sudo with SSSD (see sssd-sudo). But once this ticket is done, the former will suffice.
Is this something that we'd want authconfig to do?
I don't think so. If I'm correct, authconfig doesn't configure sudo to use LDAP so it shouldn't handle SSSD either.
Ok, fair enough. We will already manually update nsswitch.conf for automount, adding sudo shouldn't be a big dea.
Increasing priority, there was another request for this feature.
I think this would be better to solve along with https://fedorahosted.org/sssd/ticket/1733 Then the scope of the ipa-client-install change could have been reduced to configuring nsswitch.conf
Replying to [comment:8 jhrozek]:
Right. Moving the ticket to NEEDS_TRIAGE so that we discuss re-target it.
I'd like to mention that the the sudo module for sssd is not included in the default package. This can be fixed by changing the srpm to not create a sepperate package or by changing the dependencies for freeipa. Feel free to add more options.
Adding one more step - NIS domainname needs to be set.
Also note that we had a discussion with Tomas Mraz, an owner of authconfig component and he is willing to add support of configuring sudoers in nsswitch.conf directly to authconfig. See https://bugzilla.redhat.com/show_bug.cgi?id=975082 for more details.
authconfig
sudoers
nsswitch.conf
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=988875 (Fedora)
I probably don't have permissions to modify the ticket description. It wrongly says:
put "sudoers: [files, ] sssd" into /etc/nsswitch.conf
It should be sss without d.
Replying to [comment:19 pbrezina]:
I corrected the description, thanks.
3.4 development was shifted by one month, moving tickets to reflect reality better.
Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.
Moving unfinished November tickets to January.
This ticket is not complete yet, moving to next month milestone.
master:
Metadata Update from @pbrezina: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 4.0 - 2014/04
Log in to comment on this ticket.