On Wed, May 27, 2015 at 04:27:45PM -0700, nat...@nathanpeters.com wrote: > > I have a CentOS 6.3 client with sssd 1.11.6-30.el6_6.4 installed and when > > one of my FreeIPA users tries to sudo (he has permissions via group > > membership) I get the following error in /var/log/messages > > > > May 27 20:51:34 ipaclient sssd[be[mydomain.net]]: dereference processing > > failed : Invalid argument > > > > I have read that this is a known bug > > (https://bugzilla.redhat.com/show_bug.cgi?id=1154042) and that the > > suggested fix is to add the following line to the domain section of the > > sssd.conf : > > > > ldap_group_object_class = ipaUserGroup > > > > I tried adding that and then restarting the client, but it did not fix the > > problem. I have also read that this problem may only apply to POSIX > > groups so I removed my user from all POSIX groups, added him to non posix > > groups and then created some new sudo rules and hbac rules. I restarted > > the client again and still had the same issue where I could login but not > > sudo. > > > > Is there a known workaround that actually works? > > > > I see this bug is supposed to be fixed in sssd 1.11.8. Is this version of > > sssd going to be released into any repo for CentOS 6? > > > > I just had a look at the CentOS 6 updates repo and sssd is still at > > 1.11.6-30 > > > > > > -- > > Well, I found that if I updated to CentOS 6.5 and then put the user in all > non posix groups and renamed my sudo rules so they were different names > than my hbac rules I could finally log in and sudo properly with no > messing with my sssd.conf file. > > Nothing I tried in CentOS 6.3 would work though.
btw in upstream we relaxed the dereference processing a bit and now we just skip the faulty rules. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project