RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:

The RHEL6 Identity Management Guide, chapter 20.4.2 , "Applying the Configured sudo Policies to Hosts Using SSSD" provides instructions on how to configure sudo to use SSSD.  However, these instructions do not work unless the following parameters are set inside the [domain/example.com] of sssd.conf:

sudo_provider = ldap
ldap_sasl_mech = GSSAPI

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 6.5
Identity Management Guide
Managing Identity and Authorization Policies for Linux-Based Infrastructures
Edition 3.0.0

How reproducible:
Always

Steps to Reproduce:
1. Follow documentation at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/config-sudo-clients.html#example-configuring-sudo-sssd
2. Try to sudo


Actual results:
Sudo rules are not retrieved from ipa server

Expected results:
Error should not occur, and if sudo is properly configured, access should be granted.

Additional info:
According to sssd-ldap manpage:
- sudo_provider default value is based on id_provider and we set that to ipa, while it needs to be ldap because ipa sudo provider is not yet working on current versions of sssd.
- ldap_sasl_mech default value is "not set" but we only support GSSAPI

Maybe is also a good idea to mention that there are some other parameters which default values could not match your environment and could require adjustments:

ldap_uri = ldap://ipa-server.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_authid = host/ipa-client.example.com
ldap_sasl_realm = EXAMPLE.COM
krb5_server = ipa-server.example.com

Check man sssd-ldap to check for the default options.

I spoke with Jakub (cc'd) and he confirmed that in RHEL 6.6, the mentioned configuration will be added automatically if missing, which fixes this problem.

Therefore, there is no actual impact on documentation.

In the meantime, this issue might be a nice kbase article (unless we have some already)