Hi! >> Let's say we're using domain example.com. Adding clients a.example.com >> and b.example.com was smooth. Adding client a.sub1.example.com also >> had no problems until I tried to get sudoers from the IPA server >> (using SSSD and LDAP as suggested). The client fails to find any users >> matching the server name. Because the only difference compared to a >> fully functional server is the dot in the host name, that's probably >> the reason why no sudoers are found for the server in the subdomain? > >What do you use in nsswitch.conf for sudoers? ldap or sss? If sss, can >you also paste your sssd.conf?
>Can you paste the output of sudo along with the -D parameter to get some >debugging? I managed to get subdomains working after adding the subdomain to the IPA DNS and filling in the various SRV records pointing to the IPA master. After the DNS was setup properly, DNS discovery would display the correct subdomain on ipa-client-install. After the DNS discovery was successful, also sudo started working properly on most servers. As I specified sss for sudoers in nsswitch.conf and added the necessary configuration to sssd.conf as described in the RedHat documentation, I was able to sudo the commands I had enabled in the IPA policy. That's great! Some servers are still, however, causing headache. According to /var/log/secure sudo can authenticate me, but for some reason the list of allowed commands is empty (sudo -l responds "Sorry, user xxx may not run sudo on yyy."). I have defined sudo rules so that anybody can use sudo on any host, but only certain commands. I'll try to debug the problems and let you know how it goes. The caching mechanism for sudo/sssd and especially clearing the cache with sss_cache has turned out to be somewhat challenging to understand. Does anybody know the correct parameters that cause the sudoers cache be invalidated? Thanks also to everybody else for replying to my message! Best regards, Thomas -- Thomas Raehalme CTO, teknologiajohtaja Mobile +358 40 545 0605 Codecenter Oy Väinönkatu 26 A, 4th Floor 40100 JYVÄSKYLÄ, Finland Tel. +358 10 322 0040 www.codecenter.fi Codecenter - Tietojärjestelmiä ymmärrettävästi _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users