Well, I figured it out... "bindpwd"
D'oh! 3 days troubleshooting a typo :P On Mon, May 20, 2013 at 4:19 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Mon, May 20, 2013 at 03:58:11PM -0400, Dmitri Pal wrote: > > On 05/20/2013 12:33 PM, Duncan R. Green wrote: > > > I ask upon thee, oh great ipa gurus... > > > > > > I've got ipa set up with sudo, and have it successfully working on > > > several hosts. > > > > > > On one particular host, though, I'm having issues. > > > > > > SSSD seems to be working fine -- can ssh in as a user, can kinit, etc. > > > > > > However, when I try to use sudo, I immediately get > > > > > > ldap_sasl_bind_s(): Server is unwilling to perform > > > > > > and in /var/log/secure, I see > > > > > > May 20 17:20:07 SERVERNAME sudo: pam_unix(sudo:auth): authentication > > > failure; logname=username uid=0 euid=0 tty=/dev/pts/0 ruser = rhost = > > > user=username > > > > > > May 20 17:20:07 SERVERNAME sudo: pam_sss(sudo:auth): authentication > > > success; logname=username uid=0 euid=0 tty=/dev/pts/0 ruser = rhost = > > > user=username > > > > > > May 20 17:20:07 SERVERNAME sudo: username : user NOT in sudoers ; > > > TTY=pts/0 ; PWD=/home/username ; USER=root ; COMMAND=/bin/vi > /etc/rc.local > > > > > > ...any advice? > > > > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipafirstname.lastname@example.org > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Please turn on sudo debug and provide the debug output. > > Also please look at the server side access logs, they might shed some > > light on why the server is unwilling to perform. > > What OS the client is? It might have an LDAP library that is out of date > > or provides some control that server does not like or understands. > > Also the authentication of the sudo connection might be not properly > > configured. > > > > Generally there is not enough info to give you more guidance, sorry. > > Yes, I believe the server logs would be the best in this case. Unwilling > to perform sounds like the client requested an operation the server > couldn't complete. > > _______________________________________________ > Freeipa-users mailing list > Freeipaemail@example.com > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users