Thanks. In this case, on a lark, I compared the sizes of the ca.crt file between the working and nonworking nodes and there was a 4 byte difference. Copying over the working copy to the nonworking node got things flowing again. I'm filing these notes in my nv stack for later reference, though.
Thanks, Rob. * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Tue, Oct 1, 2013 at 10:53 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Bret Wortman wrote: > >> One some of my nodes, attempting to sudo yields this: >> >> $ sudo su - >> sudo: ldap_start_tls_s(): Connect error >> [sudo] password for bretw: >> >> When the policy for my account is set up for !authenticate on all systems. >> >> On my own workstation, and most of our systems, it works just fine. But >> on a few, this is happening. What's the best way to start debugging >> this? I'm not looking for someone to do the work for me, but some >> pointers to the right logfiles or extra flags would be helpful. >> > > Add 'sudoers_debug: 2' to the sudo ldap configuration file. > > Check the DS access log on the IPA server this connects to for SSL errors. > > You should have these set: > > ssl start_tls > tls_cacertfile /etc/ipa/ca.crt > tls_checkpeer yes > > rob > >
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users