One of my biggest projects is to use ansible to kill OpenLDAP clients on our production servers and install ipa-client and configured.  I'm probably 95% there with automating the process (still trying to figure out what pam_ldap crap is floating around after uninstalling those packages and such) but I've got a weird issue that appears to be related to the C6 ipa-client setup.

After installing the ipa-client and configuring, I can login as my ipa user account, but, even though I have SUDO rules in place, I'm getting a 'user is not in sudoers file...etc, etc' on CentOS 6, but /not/ on a CentOS 7 client I have tested on.  I've tried two different C6 boxes with the same result.  The SSSD/nsswitch/pam.d config files are all identical between the C6 and C7 servers.

The C7 box did not have a previous OpenLDAP client on it, and neither did one of the C6 boxes, so it doesn't appear to be a problem/conflict with remnants of OpenLDAP/PAM causing the problem.  Sudoers on all the boxes I'm testing is out-of-the-box vanilla and there are no sudoers.d/ files either.

I'm an IPA newbie, and I gave up on OpenLDAP and PAM (god, what a cockup that is) almost two decades ago, so I'm not as familiar with it as some people might be.  Here are the package versions for the IPA clients:

C7: ipa-client-4.5.0-21.el7.centos.1.2.x86_64

C6: ipa-client-3.0.0-51.el6.centos.x86_64

The only other thing I can think of to mention is that in /var/log/secure on the C6 boxes I'm getting a authentication failure (obviously since my user isn't on that box) prior to sssd authenticating me successfully when trying to sudo su.  I do not see that problem on the C7 box.

Any ideas?

Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
FreeIPA-users mailing list --
To unsubscribe send an email to
  • [Freeipa-users] IPA sudo r... Mark Haney via FreeIPA-users

Reply via email to