There is a new version of sssd (1.13.3-3) in fedora which support the native IPA schema RHBZ1256849. It will be in updates-testing on fedora 22+ in few days.
However, the new native IPA schema does not support hostmask and therefore the freeipa sudo upstream test will fail.
=================================== FAILURES =================================== ______________ TestSudo.test_sudo_rule_restricted_to_one_hostmask ______________ self = <ipatests.test_integration.test_sudo.TestSudo object at 0x7ffa5fe97dd0> def test_sudo_rule_restricted_to_one_hostmask(self): if self.__class__.skip_hostmask_based: raise pytest.skip("Hostmask could not be detected") result1 = self.list_sudo_commands("testuser1") > assert "(ALL : ALL) NOPASSWD: ALL" in result1.stdout_text E assert '(ALL : ALL) NOPASSWD: ALL' in '' E + where '' = <pytest_multihost.transport.SSHCommand object at 0x7ffa5febb450>.stdout_text test_integration/test_sudo.py:295: AssertionError ==================== 1 failed, 74 passed in 1331.73 seconds ====================
It works only old sudo schema. And you need to change in sssd conf to set sudo search base to old schema. The default for ldap_sudo_search_base is cn=sudo,$base_dn old schema is in ou=sudoers,$base_dn e.g.
ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=example,dc=com }}
Seems to be similar to https://fedorahosted.org/freeipa/ticket/5501
Replying to [comment:1 akasurde]:
Seems to be similar to https://fedorahosted.org/freeipa/ticket/5501 No, it isn't. I would recommend to properly read description of ticket.
ipa-4-2:
ipa-4-3:
master:
Metadata Update from @lslebodn: - Issue assigned to mbabinsk - Issue set to the milestone: FreeIPA 4.2.4
Login to comment on this ticket.