On Mon, May 20, 2013 at 03:58:11PM -0400, Dmitri Pal wrote:
> On 05/20/2013 12:33 PM, Duncan R. Green wrote:
> > I ask upon thee, oh great ipa gurus...
> > I've got ipa set up with sudo, and have it successfully working on
> > several hosts.
> > On one particular host, though, I'm having issues.
> > SSSD seems to be working fine -- can ssh in as a user, can kinit, etc.
> > However, when I try to use sudo, I immediately get
> > ldap_sasl_bind_s(): Server is unwilling to perform
> > and in /var/log/secure, I see
> > May 20 17:20:07 SERVERNAME sudo: pam_unix(sudo:auth): authentication
> > failure; logname=username uid=0 euid=0 tty=/dev/pts/0 ruser = rhost =
> > user=username
> > May 20 17:20:07 SERVERNAME sudo: pam_sss(sudo:auth): authentication
> > success; logname=username uid=0 euid=0 tty=/dev/pts/0 ruser = rhost =
> > user=username
> > May 20 17:20:07 SERVERNAME sudo: username : user NOT in sudoers ;
> > TTY=pts/0 ; PWD=/home/username ; USER=root ; COMMAND=/bin/vi /etc/rc.local
> > ...any advice?
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipaemail@example.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> Please turn on sudo debug and provide the debug output.
> Also please look at the server side access logs, they might shed some
> light on why the server is unwilling to perform.
> What OS the client is? It might have an LDAP library that is out of date
> or provides some control that server does not like or understands.
> Also the authentication of the sudo connection might be not properly
> Generally there is not enough info to give you more guidance, sorry.
Yes, I believe the server logs would be the best in this case. Unwilling
to perform sounds like the client requested an operation the server
Freeipa-users mailing list