On 10/17/2012 09:26 AM, Macklin, Jason wrote: > Okay, > > Rule name: test4 > Enabled: TRUE > Command category: all > Users: asteinfeld > Hosts: dbduwdu062.dbr.roche.com > Host Groups: tempsudo > > Client dbduwdu062 is matched in the rule by both the hosts and groups entry. > > /etc/nsswitch.conf has: > > Netgroups: files sss > > Getent netgroup tempsudo returns: > > [jmacklin@dbduwdu062 Desktop]$ getent netgroup tempsudo > tempsudo (dbduwdu063.dbr.roche.com, -, dbr.roche.com) > (dbduwdu062.dbr.roche.com, -, dbr.roche.com) > > To the previous ldapsearch request: > > [jmacklin@dbduwdu062 Desktop]$ ldapsearch -Y GSSAPI -H > ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com" > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) > additional info: Entry permanently locked.
It seems that you tried the wrong password and the account is now temporarily locked thus the server is unwilling to perform authentication for this account. > > I am still scratching my head on this one... > > Cheers, > Jason > > If you look closely, the reason that your admin works is because it appears > to be matching a sudo rule who has the "ALL" hosts value set. > > When you run the non working user, it is attempting to match the > hostname/hostgroup to the rule and fails to do so. > > Try this. Type: getent netgroup hostgroupname <- your host's hostgroup goes > there. > > ^ that command should return all of the hosts in your hostgroup. If it does > not, then check /etc/nsswitch.conf and make sure that netgroup is set to use > sss. > > You will also need to make sure that the output of: domainname or > nisdomainname matches your expected domain. > > Let me know how things look after trying that. > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users