From Fedora Project Wiki
(Created page with "{{QA/Test_Case |description= Offline access to sudo rules. |setup= * Make sure you have sudo 1.8.6 rc3 or later installed ([http://koji.fedoraproject.org/koji/buildinfo?bu...") |
No edit summary |
||
| Line 36: | Line 36: | ||
krb5_server = server.ipa.example.com | krb5_server = server.ipa.example.com | ||
... | ... | ||
Configure sudo to use SSSD as a sudoers source in <code>/etc/nsswitch.conf</code>: | |||
sudoers: files sss | |||
Finally, restart SSSD: | |||
root@client# service sssd restart | |||
=== Sudo testing === | === Sudo testing === | ||
Revision as of 14:48, 12 September 2012
Description
Offline access to sudo rules.
Setup
- Make sure you have sudo 1.8.6 rc3 or later installed (Koji build).
- Make sure you have SSSD 1.9.0beta7 or later installed (Koji build).
- Install FreeIPA server with DNS on one machine,
server.ipa.example.com, and FreeIPA client on another machine,client.ipa.example.com(see Basic installation tests).
How to test
Configure SSSD
On client.ipa.example.com, you have to make some changes to /etc/sssd/sssd.conf.
Make sure the sudo service is enabled in the [sssd] section:
[sssd] ... services = nss, pam, ssh, sudo ...
In the FreeIPA domain section, you have to make the following changes (see man sssd-sudo for more information):
[domain/IPA.EXAMPLE.COM] ... sudo_provider = ldap ldap_uri = ldap://server.ipa.example.com ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/client.ipa.example.com ldap_sasl_realm = IPA.EXAMPLE.COM krb5_server = server.ipa.example.com ...
Configure sudo to use SSSD as a sudoers source in /etc/nsswitch.conf:
sudoers: files sss
Finally, restart SSSD:
root@client# service sssd restart
Sudo testing
TODO.
Expected Results
All the test steps should end with the specified results.