From Fedora Project Wiki

(Created page with "{{QA/Test_Case |description= Offline access to sudo rules. |setup= * Make sure you have sudo 1.8.6 rc3 or later installed ([http://koji.fedoraproject.org/koji/buildinfo?bu...")
 
Line 36: Line 36:
 
  krb5_server = server.ipa.example.com
 
  krb5_server = server.ipa.example.com
 
  ...
 
  ...
 +
 +
Configure sudo to use SSSD as a sudoers source in <code>/etc/nsswitch.conf</code>:
 +
 +
sudoers: files sss
 +
 +
Finally, restart SSSD:
 +
 +
root@client# service sssd restart
  
 
=== Sudo testing ===
 
=== Sudo testing ===

Revision as of 14:48, 12 September 2012

Description

Offline access to sudo rules.

Setup

  • Make sure you have sudo 1.8.6 rc3 or later installed (Koji build).
  • Make sure you have SSSD 1.9.0beta7 or later installed (Koji build).
  • Install FreeIPA server with DNS on one machine, server.ipa.example.com, and FreeIPA client on another machine, client.ipa.example.com (see Basic installation tests).

How to test

Configure SSSD

On client.ipa.example.com, you have to make some changes to /etc/sssd/sssd.conf.

Make sure the sudo service is enabled in the [sssd] section:

[sssd]
...
services = nss, pam, ssh, sudo
...

In the FreeIPA domain section, you have to make the following changes (see man sssd-sudo for more information):

[domain/IPA.EXAMPLE.COM]
...
sudo_provider = ldap
ldap_uri = ldap://server.ipa.example.com
ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/client.ipa.example.com
ldap_sasl_realm = IPA.EXAMPLE.COM
krb5_server = server.ipa.example.com
...

Configure sudo to use SSSD as a sudoers source in /etc/nsswitch.conf:

sudoers: files sss

Finally, restart SSSD:

root@client# service sssd restart

Sudo testing

TODO.

Expected Results

All the test steps should end with the specified results.