Thanks again Lukas,

These turned out to be very helpful debugging suggestions, and were the
critical part of getting the problem solved - the pointer to ldb-tools was
extremely helpful in identifying where the issue was happening!

With them, I was able to see the right sudo rules were being cached, and
that the change from sudo working to sudo not working happened not because
of the host, but because of the user, and in particular, the user being a
listed explicitly, or only as part of a group.  The user's groups were
being listed in the user's entry in the cache, but not when running the
"id" command.  Some quick googling, and I discovered that in Ubuntu 14.04,
the sssd option "enumerate" defaults to false, which meant that the group
memberships were not taking effect, which meant that sudo rules based on
membership in a group weren't working. Setting enumerate to true got
everything working.

Many thanks again!

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to