On 10/17/2012 09:26 AM, Macklin, Jason wrote:
> Rule name: test4
> Enabled: TRUE
> Command category: all
> Users: asteinfeld
> Hosts: dbduwdu062.dbr.roche.com
> Host Groups: tempsudo
> Client dbduwdu062 is matched in the rule by both the hosts and groups entry.
> /etc/nsswitch.conf has:
> Netgroups: files sss
> Getent netgroup tempsudo returns:
> [jmacklin@dbduwdu062 Desktop]$ getent netgroup tempsudo
> tempsudo (dbduwdu063.dbr.roche.com, -, dbr.roche.com)
> (dbduwdu062.dbr.roche.com, -, dbr.roche.com)
> To the previous ldapsearch request:
> [jmacklin@dbduwdu062 Desktop]$ ldapsearch -Y GSSAPI -H
> ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com"
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
> additional info: Entry permanently locked.
It seems that you tried the wrong password and the account is now
temporarily locked thus the server is unwilling to perform
authentication for this account.
> I am still scratching my head on this one...
> If you look closely, the reason that your admin works is because it appears
> to be matching a sudo rule who has the "ALL" hosts value set.
> When you run the non working user, it is attempting to match the
> hostname/hostgroup to the rule and fails to do so.
> Try this. Type: getent netgroup hostgroupname <- your host's hostgroup goes
> ^ that command should return all of the hosts in your hostgroup. If it does
> not, then check /etc/nsswitch.conf and make sure that netgroup is set to use
> You will also need to make sure that the output of: domainname or
> nisdomainname matches your expected domain.
> Let me know how things look after trying that.
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list