On Mon, Mar 30, 2015 at 08:09:43AM +0000, Alexander Frolushkin wrote:
> Hello everyone.
> We have a IPA 3 and AD domain trust.
> Users from AD successfully logs on to linux servers via ssh and hbac rules 
> works fine with external groups. But not a sudo rules.
> When rule defines as 'who' IPA users rule works well. If it is defines 
> external group for corresponding AD group which is AD user member of, this 
> user gets
> u...@ad.com<mailto:u...@ad.com> is not allowed to run sudo on host.com.  This 
> incident will be reported.
> 
> In debug there is a strings
> (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): 
> No such entry
> (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
> (0x0200): Searching sysdb with 
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=u...@ad.com)(
> sudoUser=#xxxxxxxxxx)(sudoUser=%....cuted.......(sudoUser=%....cuted.....)(sudoUser=+*))(&(dataExpireTimestamp<=1427702040)))]
> (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
> (0x0020): Error looking up SUDO rules(Mon Mar 30 13:54:00 2015) [sssd[sudo]] 
> [sudosrv_get_rules] (0x0020): Unable to retr
> ieve expired sudo rules [5]: Input/output error
> 
> I've seen a number of closed bugs with similar error message, but at last on 
> this RHEL 6.6 server sssd is fully updated.
> 
> And sorry for the huge underlined message, it is generated automatically and 
> I have no rights to avoid it in my mails :(
> 

Just to close this thread, we tracked the issue down into this SSSD bug
- https://fedorahosted.org/sssd/ticket/2613

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to