Hi,

I looked in the sudo_debug log and found the following line:
Mar  7 11:00:08 sudo[31293] <- new_logline @ ./logging.c:867 := user NOT 
authorized on host ; TTY=pts/1 ; PWD=/home/<DOMAIN>/f.zoske ; USER=root ; 
COMMAND=/bin/bash

On our IPA-Server I have following rules:

HBAC:
Name: allow_all_admins
Who: Group: admins
Accessing: Any Host
Via Service: Any Service

SUDO:
Name: allow_all_all
Who: Group: admins
Access this host: Any Host
Run Commands: Any Command
As Whom: Anyone

In our setup I have AD-Trust established to a multi domain forest and in our 
sssd.conf I had to adjust the UPN via the following lines (suggested by Jakub):
subdomain_inherit = ldap_user_principal 
ldap_user_principal = nosuchattr

Is anything of this related to the problem?
Shall I send you the log files of sssd and sudo?

Best regards,
Fabian


-----Ursprüngliche Nachricht-----
Von: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Gesendet: Montag, 7. März 2016 09:55
An: Zoske, Fabian
Cc: freeipa-users@redhat.com
Betreff: Re: [Freeipa-users] SSSD does not fetch Sudo Rules anymore

On Mon, 07 Mar 2016, Zoske, Fabian wrote:
>Thank you for your explanation.
>
>I looked in the sssd_<DOMAIN>.log and found the actual LDAP-Filter.
>The problem seems to be the first part again: 
>(&(objectclass=sudoRole)(entryUSN>=485025)(!(entryUSN=485025))).
>In the LDAP-Tree I can't see any attribute named entryUSN.
>
>Is this related to the problem?
No, it is not. entryUSN is an attribute that is not stored in the entry, it is 
a feature that adds a monotonically increased value to any update of an entry. 
It is used to check whether entries were changed since last search.


--
/ Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to