freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

#3358 [RFE] ipa-client-install should support sudo configuration

Created 4 years ago by pbrezina
Modified 9 months ago

There should be a flag in ipa-client-install that would invoke setting up sudo configuration to use SSSD as a data source.

This involves:
1. put sudo into services in sssd.conf
2. put "sudoers: [files, ] sss" into /etc/nsswitch.conf
3. Configure client domainname in ipa-client-install (it is needed so that netgroups (i.e. IPA SUDO hostgroups) work).

This needs a little coordination with SSSD ticket:
https://fedorahosted.org/sssd/ticket/1733

Currently there are more changes in sssd.conf that needs to be done in order to run sudo with SSSD (see sssd-sudo). But once this ticket is done, the former will suffice.

Is this something that we'd want authconfig to do?

I don't think so. If I'm correct, authconfig doesn't configure sudo to use LDAP so it shouldn't handle SSSD either.

Ok, fair enough. We will already manually update nsswitch.conf for automount, adding sudo shouldn't be a big dea.

Increasing priority, there was another request for this feature.

I think this would be better to solve along with https://fedorahosted.org/sssd/ticket/1733 Then the scope of the ipa-client-install change could have been reduced to configuring nsswitch.conf

Replying to [comment:8 jhrozek]:

I think this would be better to solve along with https://fedorahosted.org/sssd/ticket/1733 Then the scope of the ipa-client-install change could have been reduced to configuring nsswitch.conf

Right. Moving the ticket to NEEDS_TRIAGE so that we discuss re-target it.

I'd like to mention that the the sudo module for sssd is not included in the default package. This can be fixed by changing the srpm to not create a sepperate package or by changing the dependencies for freeipa. Feel free to add more options.

Adding one more step - NIS domainname needs to be set.

Also note that we had a discussion with Tomas Mraz, an owner of authconfig component and he is willing to add support of configuring sudoers in nsswitch.conf directly to authconfig. See https://bugzilla.redhat.com/show_bug.cgi?id=975082 for more details.

I probably don't have permissions to modify the ticket description. It wrongly says:

put "sudoers: [files, ] sssd" into /etc/nsswitch.conf

It should be sss without d.

Replying to [comment:19 pbrezina]:

I corrected the description, thanks.

3.4 development was shifted by one month, moving tickets to reflect reality better.

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

Moving unfinished November tickets to January.

This ticket is not complete yet, moving to next month milestone.

master:

  • d90eb46 ipa-client: Set NIS domain name in the installer
  • ef3c9d3 ipa-client-install: Configure sudo to use SSSD as data source
  • 5ce88a1 ipatests: Add Sudo integration test
9 months ago

Metadata Update from @pbrezina:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 4.0 - 2014/04

Login to comment on this ticket.

enhancement

Client

1

https://bugzilla.redhat.com/show_bug.cgi?id=924395, https://bugzilla.redhat.com/show_bug.cgi?id=988875

ipa-client-install now automatically configures SUDO support on client machines thus making FreeIPA SUDO integration very easy to use.

N/A (minor feature)

cancel