Hey Michael.

I have never added Ubuntu or Debian machines to an IPA server.  I have gotten 
RHEL 5/6/7, HPUX 11.31 and Solaris 10/11 machines added and working on my IPA 
servers.  So I can hope to shed some light from my troubles.  I have found that 
the issue lies with how the sudo on the server resolves it's own hostname.

Can you attempted to debug sudo?  You should be able to add a debug line 
sssd.conf in the [sudo] section.

Also have you tried to add a rule and explicitly list the server (not group)?  
This will help determine if the issue is related to the host and passing 
comparing with the FQDN or if it's having issues expanding host groups.

I'm sure you already know this, but including just in case:

From the sssd.conf man page from Ubuntu you can have a setting in there - 
hostid_provider - make sure that is set to ipa. I'm sure this is setup from the 

The man page also states: "Note: in order to use netgroups or IPA hostgroups in 
sudo rules, you
       also need to correctly set nisdomainname(1) to your NIS domain name
       (which equals to IPA domain name when using hostgroups)."

You can also set a setting in the sssd.conf to reflect the FQDN correctly  
ipa_hostname = FQDN.  I have had to set this, due to not being able to change 
hostnames from shortname to FQDN.

Common things I have ran into / fixed  - 
- hosts file is not setup correctly for the host.  The host entry for itself 
has to be setup as ServerFQDN ServerShortname

- Set the server name to the FQDN vs shortname. If unable to set, statically 
set the hostname with the --hostname option on installation.

- Ensure that the host entry FQDN in IPA is the same as the hosts 
file/hostname.  Otherwise you can set the hostname statically in sssd.conf with 

- Set the nisdomain name to IPA domain.

- Added a sudo option into the sudo rule "fqdn", to ensure the fqdn will be 
used by the hosts. 

I would be more interested in what the debugging produces.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to