Thanks. In this case, on a lark, I compared the sizes of the ca.crt file
between the working and nonworking nodes and there was a 4 byte difference.
Copying over the working copy to the nonworking node got things flowing
again. I'm filing these notes in my nv stack for later reference, though.
On Tue, Oct 1, 2013 at 10:53 AM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Bret Wortman wrote:
>> One some of my nodes, attempting to sudo yields this:
>> $ sudo su -
>> sudo: ldap_start_tls_s(): Connect error
>> [sudo] password for bretw:
>> When the policy for my account is set up for !authenticate on all systems.
>> On my own workstation, and most of our systems, it works just fine. But
>> on a few, this is happening. What's the best way to start debugging
>> this? I'm not looking for someone to do the work for me, but some
>> pointers to the right logfiles or extra flags would be helpful.
> Add 'sudoers_debug: 2' to the sudo ldap configuration file.
> Check the DS access log on the IPA server this connects to for SSL errors.
> You should have these set:
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
Freeipa-users mailing list