Thanks Lukas,

I'm very glad to have concrete debugging suggestions. I'll investigate as
you suggest and report back.

Thanks again,

Andrew

On Fri, Apr 17, 2015 at 2:28 PM, Lukas Slebodnik <lsleb...@redhat.com>
wrote:

> On (17/04/15 11:32), Andrew Sacamano wrote:
> >Hi everyone,
> >
> >
> >I've spent a couple of days digging around the web, watching logs, and
> >poking things, and I'm stuck getting sudo working with IPA on a new box
> >I've just set up. I have had it working in the past on a test box, but
> >something about this box is blocking me, and I can't for the life of me
> >figure out what.
> >
> >
> >The basic symptom is that I can log into the Ubuntu box as an IPA user,
> but
> >sudo is always denied:
> >
> >
> >[root@security-core-1 log]# ssh dru@jenkins
> >
> >dru@jenkins's password:
> >
> >...
> >
> >Could not chdir to home directory /home/dru: No such file or directory
> >
> >dru@jenkins:/$ sudo -l
> >
> >[sudo] password for dru:
> >
> >Sorry, user dru may not run sudo on jenkins.
> >
> >
> >I've appended version output, config files, sample logs, and ipa config -
> >which I think is all of the relevant material, but I'll gladly share more
> >if it's needed.
> >
> >
> >Thanks so much in advance for any debugging advice, hints, or help!
> >
> >
>
> I looked to the configuration files and they look good.
>
> I have few hints which might help you with troubleshooting
> * please ensure you have installed package sudo and not sudo-ldap.
>   The second one is not build with sssd support.
> * please read about sudo caching in sssd
>   man sssd-sudo -> THE SUDO RULE CACHING MECHANISM
> * please test simple sudo rules first.
>   (all hosts, one user instead of groups, ...)
> * check whether sudo rules are cached by sssd (use ldb-tools)
>
> If previous hints does not help then you need to enable
> debugging in sudo and analyse log file.
> @see slide 18 in presentation[1]
>
> LS
>
> [1] http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to