Thanks. In this case, on a lark, I compared the sizes of the ca.crt file
between the working and nonworking nodes and there was a 4 byte difference.
Copying over the working copy to the nonworking node got things flowing
again. I'm filing these notes in my nv stack for later reference, though.

Thanks, Rob.


*
*
*Bret Wortman*

http://damascusgrp.com/
http://about.me/wortmanbret


On Tue, Oct 1, 2013 at 10:53 AM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Bret Wortman wrote:
>
>> One some of my nodes, attempting to sudo yields this:
>>
>> $ sudo su -
>> sudo: ldap_start_tls_s(): Connect error
>> [sudo] password for bretw:
>>
>> When the policy for my account is set up for !authenticate on all systems.
>>
>> On my own workstation, and most of our systems, it works just fine. But
>> on a few, this is happening. What's the best way to start debugging
>> this? I'm not looking for someone to do the work for me, but some
>> pointers to the right logfiles or extra flags would be helpful.
>>
>
> Add 'sudoers_debug: 2' to the sudo ldap configuration file.
>
> Check the DS access log on the IPA server this connects to for SSL errors.
>
> You should have these set:
>
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
>
> rob
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to