On (17/04/15 11:32), Andrew Sacamano wrote: >Hi everyone, > > >I've spent a couple of days digging around the web, watching logs, and >poking things, and I'm stuck getting sudo working with IPA on a new box >I've just set up. I have had it working in the past on a test box, but >something about this box is blocking me, and I can't for the life of me >figure out what. > > >The basic symptom is that I can log into the Ubuntu box as an IPA user, but >sudo is always denied: > > >[root@security-core-1 log]# ssh dru@jenkins > >dru@jenkins's password: > >... > >Could not chdir to home directory /home/dru: No such file or directory > >dru@jenkins:/$ sudo -l > >[sudo] password for dru: > >Sorry, user dru may not run sudo on jenkins. > > >I've appended version output, config files, sample logs, and ipa config - >which I think is all of the relevant material, but I'll gladly share more >if it's needed. > > >Thanks so much in advance for any debugging advice, hints, or help! > >
I looked to the configuration files and they look good. I have few hints which might help you with troubleshooting * please ensure you have installed package sudo and not sudo-ldap. The second one is not build with sssd support. * please read about sudo caching in sssd man sssd-sudo -> THE SUDO RULE CACHING MECHANISM * please test simple sudo rules first. (all hosts, one user instead of groups, ...) * check whether sudo rules are cached by sssd (use ldb-tools) If previous hints does not help then you need to enable debugging in sudo and analyse log file. @see slide 18 in presentation[1] LS [1] http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project