On Wed, Jul 29, 2015 at 04:32:42PM +0200, Martin Kosek wrote: > On 07/29/2015 03:22 PM, Dewangga Bachrul Alam wrote: > > Hello! > > > > I'm using FreeIPA 4.1.x on CentOS 7, Is there any delay after applied > > some rules to specified user? > > > > [root@ipa ~]# ipa sudorule-show > > Rule name: wheel > > Rule name: Wheel > > Enabled: TRUE > > Host category: all > > Command category: all > > RunAs User category: all > > RunAs Group category: all > > Sudo order: 1 > > Users: dewangga > > User Groups: wheel > > Sudo Option: !authenticate > > > > > > On ipa-client, user `dewangga` asking for password when execute command > > `sudo -l` > > > > [dewangga@sherief-repository ~]$ sudo -l > > [sudo] password for dewangga: > > > > Here is `ipa user-show dewangga` result : > > > > $ ipa user-show dewangga > > User login: dewangga > > First name: Dewangga > > Last name: Alam > > Home directory: /home/dewangga > > Login shell: /bin/bash > > Email address: [removed] > > UID: 642000001 > > GID: 642000001 > > Account disabled: False > > Password: False > > Member of groups: wheel > > Member of Sudo rule: Wheel > > Kerberos keys available: False > > SSH public key fingerprint: [removed] mahaesa-key (ssh-rsa) > > > > Any helps are appreciated. > > Thanks > > I suspect that SSSD cache is in play. You can try to remove it ("man > sss_cache" > or remove it manually "stop sssd, remove /var/lib/sss/db/* and start sssd > again").
I think restarting SSSD should help here. You can read the type of sudo refreshes sssd does in man sssd-sudo. If it doesn't, we need sssd logs. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project