I have never added Ubuntu or Debian machines to an IPA server. I have gotten
RHEL 5/6/7, HPUX 11.31 and Solaris 10/11 machines added and working on my IPA
servers. So I can hope to shed some light from my troubles. I have found that
the issue lies with how the sudo on the server resolves it's own hostname.
Can you attempted to debug sudo? You should be able to add a debug line
sssd.conf in the [sudo] section.
Also have you tried to add a rule and explicitly list the server (not group)?
This will help determine if the issue is related to the host and passing
comparing with the FQDN or if it's having issues expanding host groups.
I'm sure you already know this, but including just in case:
From the sssd.conf man page from Ubuntu you can have a setting in there -
hostid_provider - make sure that is set to ipa. I'm sure this is setup from the
The man page also states: "Note: in order to use netgroups or IPA hostgroups in
sudo rules, you
also need to correctly set nisdomainname(1) to your NIS domain name
(which equals to IPA domain name when using hostgroups)."
You can also set a setting in the sssd.conf to reflect the FQDN correctly
ipa_hostname = FQDN. I have had to set this, due to not being able to change
hostnames from shortname to FQDN.
Common things I have ran into / fixed -
- hosts file is not setup correctly for the host. The host entry for itself
has to be setup as 10.0.0.5 ServerFQDN ServerShortname
- Set the server name to the FQDN vs shortname. If unable to set, statically
set the hostname with the --hostname option on installation.
- Ensure that the host entry FQDN in IPA is the same as the hosts
file/hostname. Otherwise you can set the hostname statically in sssd.conf with
- Set the nisdomain name to IPA domain.
- Added a sudo option into the sudo rule "fqdn", to ensure the fqdn will be
used by the hosts.
I would be more interested in what the debugging produces.
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org