On Mon, 07 Mar 2016, Zoske, Fabian wrote:
Hi,
in our environment server (ipa-server-4.2.0-15.el7_2.6.x86_64 and
sssd-1.13.0-40.el7_2.1.x86_64 on CentOS 7.2) and client
(ipa-client-4.2.0-15.el7_2.6.x86_64 and sssd-1.13.0-40.el7_2.1.x86_64
on CentOS 7.2) SUDO rules doesn’t get fetched anymore.
I debugged SSSD and SUDO and found out, that the first LDAP filter is
(objectClass=sudoRule) and in our IPA-LDAP every rule has the class
“sudoRole” not “sudoRule”.
This has nothing to do with your problem. sudoRole is a known artefact
from SUDO LDAP support -- the schema SUDO uses to store data in LDAP has
this object class. SSSD searches in its own cache first and in that
cache it uses an object class named sudoRule.
These are searches against different databases and they are perfectly
fine.
Is there a way to fix this behavior?
You need to find out what exactly is failing in your case, the
'difference' above is not a problem.
See https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
