On Wed, May 27, 2015 at 04:27:45PM -0700, nat...@nathanpeters.com wrote:
> > I have a CentOS 6.3 client with sssd 1.11.6-30.el6_6.4 installed and when
> > one of my FreeIPA users tries to sudo (he has permissions via group
> > membership) I get the following error in /var/log/messages
> >
> > May 27 20:51:34 ipaclient sssd[be[mydomain.net]]: dereference processing
> > failed : Invalid argument
> >
> > I have read that this is a known bug
> > (https://bugzilla.redhat.com/show_bug.cgi?id=1154042) and that the
> > suggested fix is to add the following line to the domain section of the
> > sssd.conf :
> >
> > ldap_group_object_class = ipaUserGroup
> >
> > I tried adding that and then restarting the client, but it did not fix the
> > problem.  I have also read that this problem may only apply to POSIX
> > groups so I removed my user from all POSIX groups, added him to non posix
> > groups and then created some new sudo rules and hbac rules. I restarted
> > the client again and still had the same issue where I could login but not
> > sudo.
> >
> > Is there a known workaround that actually works?
> >
> > I see this bug is supposed to be fixed in sssd 1.11.8.  Is this version of
> > sssd going to be released into any repo for CentOS 6?
> >
> > I just had a look at the CentOS 6 updates repo and sssd is still at
> > 1.11.6-30
> >
> >
> > --
> 
> Well, I found that if I updated to CentOS 6.5 and then put the user in all
> non posix groups and renamed my sudo rules so they were different names
> than my hbac rules I could finally log in and sudo properly with no
> messing with my sssd.conf file.
> 
> Nothing I tried in CentOS 6.3 would work though.

btw in upstream we relaxed the dereference processing a bit and now we
just skip the faulty rules.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to