Hi Mark, Not all CentOS releases are created equal. Support for Sudo appeared later in IPA and you’ll probably need to update sssd and ipa-client. The one in 6.8 should work fine. I’ve recently enrolled a few rhel 6.4 servers and noticed the same thing but everything was solved after doing a yum update sssd.
Cheers, Răzvan > On 13 Sep 2017, at 22:04, Mark Haney via FreeIPA-users > <email@example.com> wrote: > > One of my biggest projects is to use ansible to kill OpenLDAP clients on our > production servers and install ipa-client and configured. I'm probably 95% > there with automating the process (still trying to figure out what pam_ldap > crap is floating around after uninstalling those packages and such) but I've > got a weird issue that appears to be related to the C6 ipa-client setup. > > After installing the ipa-client and configuring, I can login as my ipa user > account, but, even though I have SUDO rules in place, I'm getting a 'user is > not in sudoers file...etc, etc' on CentOS 6, but /not/ on a CentOS 7 client I > have tested on. I've tried two different C6 boxes with the same result. The > SSSD/nsswitch/pam.d config files are all identical between the C6 and C7 > servers. > > The C7 box did not have a previous OpenLDAP client on it, and neither did one > of the C6 boxes, so it doesn't appear to be a problem/conflict with remnants > of OpenLDAP/PAM causing the problem. Sudoers on all the boxes I'm testing is > out-of-the-box vanilla and there are no sudoers.d/ files either. > > I'm an IPA newbie, and I gave up on OpenLDAP and PAM (god, what a cockup that > is) almost two decades ago, so I'm not as familiar with it as some people > might be. Here are the package versions for the IPA clients: > > C7: ipa-client-4.5.0-21.el7.centos.1.2.x86_64 > > C6: ipa-client-3.0.0-51.el6.centos.x86_64 > > The only other thing I can think of to mention is that in /var/log/secure on > the C6 boxes I'm getting a pam_unix.so authentication failure (obviously > since my user isn't on that box) prior to sssd authenticating me successfully > when trying to sudo su. I do not see that problem on the C7 box. > > Any ideas? > > -- > Mark Haney > Network Engineer at NeoNova > 919-460-3330 option 1 > mark.ha...@neonova.net > www.neonova.net > _______________________________________________ > FreeIPA-users mailing list -- firstname.lastname@example.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org