Hey Michael. I have never added Ubuntu or Debian machines to an IPA server. I have gotten RHEL 5/6/7, HPUX 11.31 and Solaris 10/11 machines added and working on my IPA servers. So I can hope to shed some light from my troubles. I have found that the issue lies with how the sudo on the server resolves it's own hostname.
Can you attempted to debug sudo? You should be able to add a debug line sssd.conf in the [sudo] section. Also have you tried to add a rule and explicitly list the server (not group)? This will help determine if the issue is related to the host and passing comparing with the FQDN or if it's having issues expanding host groups. I'm sure you already know this, but including just in case: From the sssd.conf man page from Ubuntu you can have a setting in there - hostid_provider - make sure that is set to ipa. I'm sure this is setup from the installation. The man page also states: "Note: in order to use netgroups or IPA hostgroups in sudo rules, you also need to correctly set nisdomainname(1) to your NIS domain name (which equals to IPA domain name when using hostgroups)." You can also set a setting in the sssd.conf to reflect the FQDN correctly ipa_hostname = FQDN. I have had to set this, due to not being able to change hostnames from shortname to FQDN. Common things I have ran into / fixed - - hosts file is not setup correctly for the host. The host entry for itself has to be setup as 10.0.0.5 ServerFQDN ServerShortname - Set the server name to the FQDN vs shortname. If unable to set, statically set the hostname with the --hostname option on installation. - Ensure that the host entry FQDN in IPA is the same as the hosts file/hostname. Otherwise you can set the hostname statically in sssd.conf with - Set the nisdomain name to IPA domain. - Added a sudo option into the sudo rule "fqdn", to ensure the fqdn will be used by the hosts. I would be more interested in what the debugging produces. -Aaron _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org