I know I'm missing something simple. But I just can't get this ipa client to accept any sudo rules.
-sh-4.1$ sudo -l [sudo] password for [email protected]: User [email protected] is not allowed to run sudo on cypress. -sh-4.1$ id uid=11659([email protected]) gid=11659([email protected]) groups=11659(testadm@domain. com),160400007(ad_klasadm) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.1$ kinit admin Password for [email protected]: -sh-4.1$ ipa sudorule-show operations Rule name: operations Description: KLAS / System Admins Enabled: TRUE Command category: all Users: localadm User Groups: ad_operations, ad_operations_external, ad_klasadm, ad_klasadm_external /var/log/sssd/sssd_sudo.log (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [testadm] from [DOMAIN.COM] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requestinginfo about [[email protected]] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [[email protected]] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [[email protected]] from [DOMAIN.COM] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= [email protected] )(sudoUser=#11659)(sudoUser=%ad_klasadm)(sudoUser=+*))(&(dataExpireTimestamp<=1396984126)))] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)([email protected] )(sudoUser=#11659)(sudoUser=%ad_klasadm)(sudoUser=+*)))] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [[email protected]] (Tue Apr 8 15:08:46 2014) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! [root@cypress etc]# cat nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files sss shadow: files sss group: files sss sudoers: files sss #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files aliases: files nisplus [root@cypress etc]# cd sssd [root@cypress sssd]# ls sssd.conf sssd.conf.deleted sssd.conf.sv [root@cypress sssd]# cat sssd.conf [domain/hosted.domain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = hosted.domain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = cypress.hosted.domain.com chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa.hosted.domain.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level=6 # # sudo integration # sudo_provider = ldap ldap_uri = ldap://ipa.hosted.domain.com ldap_sudo_search_base = ou=sudoers,dc=hosted,dc=domain,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/cypress.hosted.domain.com ldap_sasl_realm = HOSTED.DOMAIN.COM krb5_server = ipa.hosted.domain.com [sssd] services = nss, pam, ssh, pac, sudo config_file_version = 2 domains = hosted.domain.com debug_level=6 [nss] [pam] [sudo] debug_level=6 [autofs] [ssh] [pac] [root@cypress sssd]#
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
