Bug 924395

Summary: [RFE] ipa-client-install should configure sudo automatically
Product: Red Hat Enterprise Linux 7 Reporter: Arthur <arthur-fayzullin>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: javier.ramirez, jherrman, jswensso, martin, mkosek, pviktori, xdong
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.0.3-1.el7 Doc Type: Release Note
Doc Text:
With this update, the "ipa-client-install" command by default configures SSSD as the data provider for the sudo service. This behavior can be disabled by using the "--no-sudo" option. In addition, the "--nisdomain" option has been added to specify the NIS domain name for the IdM client installation, and the "--no-nisdomain" option has been added to avoid setting the NIS domain name. If neither of these options are used, the IPA domain is used instead.
 Story Points: ---
Clone Of:
: 1111121 (view as bug list) Environment:
Last Closed: 2015-03-05 10:09:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1111121    

Description Arthur 2013-03-21 17:04:23 UTC 
Description of problem:

It is enhancment bug. I think, since from EL .4 it is possible to configure sssd_sudo intergation, that libsss_sudo should be added as a dependency to ipa-client package.
Otherwise it is possible to autoremove it with yum "clean_requirements_on_remove" option active.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Arthur 2013-03-21 17:11:37 UTC 
sorry! I mean el6.4 (In reply to comment #0)
> Description of problem:
> 
> It is enhancment bug. I think, since from EL .4 it is possible to configure
> sssd_sudo intergation, that libsss_sudo should be added as a dependency to
> ipa-client package.
> Otherwise it is possible to autoremove it with yum
> "clean_requirements_on_remove" option active.
> 
> Version-Release number of selected component (if applicable):
> 
> 
> How reproducible:
> 
> 
> Steps to Reproduce:
> 1.
> 2.
> 3.
>   
> Actual results:
> 
> 
> Expected results:
> 
> 
> Additional info:
Comment 2 Rob Crittenden 2013-03-21 17:19:04 UTC 
When ipa-client-install configures sudo using SSSD the dependency will be added.

See upstream ticket https://fedorahosted.org/freeipa/ticket/3358
Comment 4 Martin Kosek 2014-06-05 07:09:22 UTC 
Ticket #3358 is fixed upstream, sudo is now configured automatically by ipa-client-install.

libsss_sudo is now part of sssd-common package and thus always installed.
Comment 6 Martin Kosek 2014-08-26 14:46:40 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4508
Comment 7 Petr Viktorin (pviktori) 2014-09-04 11:41:22 UTC 
Additional fix pushed upstream
master:
https://fedorahosted.org/freeipa/changeset/fd26560a164e757970584009d54f81c678a7056c
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/5aead1ff6fd6709a267fc91cb2e437d504ad2bac
ipa-4-0:
https://fedorahosted.org/freeipa/changeset/6bb6671cb5ea4c71581675330b398ab64c9dffd3
Comment 9 Xiyang Dong 2014-10-22 16:30:02 UTC 
Verified:
sudo was configured during ipa-client-install automatically.

[root@71client ipa-sudo]# grep "services" /etc/sssd/sssd.conf
services = nss, sudo, pam, ssh

[root@71client ipa-sudo]# grep "sudoers" /etc/nsswitch.conf
sudoers: files sss


 +-----------------------------[RPMs & OS: [ - x86_64]-----------------------------+
|       ipa-admintools-4.1.0-0.1.alpha1.el7.x86_64
|       ipa-client-4.1.0-0.1.alpha1.el7.x86_64
|       sssd-ipa-1.12.1-3.el7.x86_64
------------------------------------------------------------------------------------------
 
 +-----------------------------------------------------------------------------------------+
     Test:[/ipa-server/rhel70/ipa-sudo/root]: [ Pass(15/15): 100% ]
 +-----------------------------------------------------------------------------------------+
:: [   PASS   ]   ipa-sudo-cli-sanity-tests-setup
:: [   PASS   ]   ipa-sudo-wrapper: phase covering all tests
:: [   PASS   ]   just wait for master test to be finished first
:: [   PASS   ]   Setup for sudo functional tests
:: [   PASS   ]   sudorule-offline-caching-allow-command
:: [   PASS   ]   sudorule-offline-caching-deny-command
:: [   PASS   ]   sudorule-offline-caching-runasuser-command
:: [   PASS   ]   sudorule-offline-caching-runasgroup-command
:: [   PASS   ]   sudorule-offline-caching-hostgroup-command
:: [   PASS   ]   sudorule-offline-caching-group
:: [   PASS   ]   sudorule-offline-caching-option
:: [   PASS   ]   disable-sudorule-offline-caching
:: [   PASS   ]   sudo func cleanup
:: [   PASS   ]   Clean up for sudo functional tests
:: [   PASS   ]   /ipa-server/rhel70/ipa-sudo/root
 
 +----------------------------------------------------------------------+
                    Fail / unfinished / ABORT [ Fail(0/15): 0% ]
 +----------------------------------------------------------------------+
Comment 12 errata-xmlrpc 2015-03-05 10:09:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html