Ticket #3358 (assigned enhancement)

Opened 15 months ago

Last modified 9 days ago

[RFE] ipa-client-install should support sudo configuration

Reported by: pbrezina Owned by: tbabej
Priority: major Milestone: FreeIPA 4.0 - 2014/04
Component: Client Version:
Keywords: Cc: jhrozek, chudson, bcook, nathan.f77@…
Blocked By: Blocking:
Affects Documentation: no Patch posted for review: yes
Red Hat Bugzilla: 924395, todo, 988875 Patch review by:
External tracker: Design link:
Needs UI design: Fedora test page:
Feature: Source:
Expertise:
Release Notes:

Description (last modified by rcritten) (diff)

There should be a flag in ipa-client-install that would invoke setting up sudo configuration to use SSSD as a data source.

This involves:

  1. put sudo into services in sssd.conf
  2. put "sudoers: [files, ] sss" into /etc/nsswitch.conf
  3. Configure client domainname in ipa-client-install (it is needed so that netgroups (i.e. IPA SUDO hostgroups) work).

This needs a little coordination with SSSD ticket: https://fedorahosted.org/sssd/ticket/1733

Currently there are more changes in sssd.conf that needs to be done in order to run sudo with SSSD (see sssd-sudo). But once this ticket is done, the former will suffice.

Change History

comment:1 Changed 15 months ago by rcritten

Is this something that we'd want authconfig to do?

comment:2 Changed 15 months ago by pbrezina

I don't think so. If I'm correct, authconfig doesn't configure sudo to use LDAP so it shouldn't handle SSSD either.

comment:3 Changed 15 months ago by rcritten

Ok, fair enough. We will already manually update nsswitch.conf for automount, adding sudo shouldn't be a big dea.

comment:4 Changed 15 months ago by arubin

  • Milestone changed from 0.0 NEEDS_TRIAGE to Pilsner barrel

comment:5 Changed 15 months ago by arubin

  • Type changed from defect to enhancement

comment:6 Changed 15 months ago by arubin

  • Red Hat Bugzilla set to todo

comment:7 Changed 14 months ago by mkosek

  • Priority changed from major to critical

Increasing priority, there was another request for this feature.

comment:8 follow-up: ↓ 10 Changed 14 months ago by jhrozek

I think this would be better to solve along with https://fedorahosted.org/sssd/ticket/1733 Then the scope of the ipa-client-install change could have been reduced to configuring nsswitch.conf

comment:9 Changed 14 months ago by jhrozek

  • Cc jhrozek added

comment:10 in reply to: ↑ 8 Changed 14 months ago by mkosek

Replying to jhrozek:

I think this would be better to solve along with https://fedorahosted.org/sssd/ticket/1733 Then the scope of the ipa-client-install change could have been reduced to configuring nsswitch.conf

Right. Moving the ticket to NEEDS_TRIAGE so that we discuss re-target it.

comment:11 Changed 14 months ago by hanb

I'd like to mention that the the sudo module for sssd is not included in the default package. This can be fixed by changing the srpm to not create a sepperate package or by changing the dependencies for freeipa. Feel free to add more options.

comment:12 Changed 13 months ago by chudson

  • Cc chudson added

comment:13 Changed 13 months ago by dpal

  • Summary changed from ipa-client-install should support sudo configuration to [RFE] ipa-client-install should support sudo configuration

comment:14 Changed 13 months ago by mkosek

  • Red Hat Bugzilla changed from todo to [https://bugzilla.redhat.com/show_bug.cgi?id=924395 924395], todo

comment:15 Changed 10 months ago by bcook

  • Cc bcook added

comment:16 Changed 10 months ago by mkosek

  • Description modified (diff)

Adding one more step - NIS domainname needs to be set.

Also note that we had a discussion with Tomas Mraz, an owner of authconfig component and he is willing to add support of configuring sudoers in nsswitch.conf directly to authconfig. See https://bugzilla.redhat.com/show_bug.cgi?id=975082 for more details.

Last edited 10 months ago by mkosek (previous) (diff)

comment:17 Changed 9 months ago by dpal

  • Milestone changed from Pilsner barrel to 2013 Month 08 - August (3.4)
  • Priority changed from critical to major

comment:18 Changed 9 months ago by mkosek

  • Red Hat Bugzilla changed from [https://bugzilla.redhat.com/show_bug.cgi?id=924395 924395], todo to [https://bugzilla.redhat.com/show_bug.cgi?id=924395 924395], todo, [https://bugzilla.redhat.com/show_bug.cgi?id=988875 988875]

comment:19 follow-up: ↓ 20 Changed 8 months ago by pbrezina

I probably don't have permissions to modify the ticket description. It wrongly says:

put "sudoers: [files, ] sssd" into /etc/nsswitch.conf

It should be sss without d.

comment:20 in reply to: ↑ 19 Changed 8 months ago by rcritten

  • Description modified (diff)

Replying to pbrezina:

I corrected the description, thanks.

comment:21 Changed 7 months ago by mkosek

  • Milestone changed from 2013 Month 08 - August (3.4) to 2013 Month 09 - September (3.4)

3.4 development was shifted by one month, moving tickets to reflect reality better.

comment:22 Changed 7 months ago by tbabej

  • Owner changed from someone to tbabej

comment:23 Changed 5 months ago by mkosek

  • Milestone changed from 2013 Month 09 - September (3.4) to 2013 Month 11 - November (3.4)

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

comment:24 Changed 5 months ago by mkosek

  • Component changed from IPA to Client

comment:25 Changed 5 months ago by tbabej

  • Status changed from new to assigned

comment:26 Changed 4 months ago by mkosek

  • Milestone changed from 2013 Month 11 - November (3.4) to 2014 Month 1 - January (3.4)

Moving unfinished November tickets to January.

comment:27 Changed 2 months ago by mkosek

  • Milestone changed from FreeIPA 3.4 - 2014/01 to FreeIPA 3.4 - 2014/02

comment:28 Changed 6 weeks ago by mkosek

  • Milestone changed from FreeIPA 4.0 - 2014/02 to FreeIPA 4.0 - 2014/03

comment:29 Changed 5 weeks ago by tbabej

  • Patch posted for review set

comment:30 Changed 9 days ago by mkosek

  • Milestone changed from FreeIPA 4.0 - 2014/03 to FreeIPA 4.0 - 2014/04

This ticket is not complete yet, moving to next month milestone.

comment:31 Changed 9 days ago by ndbroadbent

  • Cc nathan.f77@… added
Note: See TracTickets for help on using tickets.