Hi, I looked in the sudo_debug log and found the following line: Mar 7 11:00:08 sudo[31293] <- new_logline @ ./logging.c:867 := user NOT authorized on host ; TTY=pts/1 ; PWD=/home/<DOMAIN>/f.zoske ; USER=root ; COMMAND=/bin/bash
On our IPA-Server I have following rules: HBAC: Name: allow_all_admins Who: Group: admins Accessing: Any Host Via Service: Any Service SUDO: Name: allow_all_all Who: Group: admins Access this host: Any Host Run Commands: Any Command As Whom: Anyone In our setup I have AD-Trust established to a multi domain forest and in our sssd.conf I had to adjust the UPN via the following lines (suggested by Jakub): subdomain_inherit = ldap_user_principal ldap_user_principal = nosuchattr Is anything of this related to the problem? Shall I send you the log files of sssd and sudo? Best regards, Fabian -----Ursprüngliche Nachricht----- Von: Alexander Bokovoy [mailto:[email protected]] Gesendet: Montag, 7. März 2016 09:55 An: Zoske, Fabian Cc: [email protected] Betreff: Re: [Freeipa-users] SSSD does not fetch Sudo Rules anymore On Mon, 07 Mar 2016, Zoske, Fabian wrote: >Thank you for your explanation. > >I looked in the sssd_<DOMAIN>.log and found the actual LDAP-Filter. >The problem seems to be the first part again: >(&(objectclass=sudoRole)(entryUSN>=485025)(!(entryUSN=485025))). >In the LDAP-Tree I can't see any attribute named entryUSN. > >Is this related to the problem? No, it is not. entryUSN is an attribute that is not stored in the entry, it is a feature that adds a monotonically increased value to any update of an entry. It is used to check whether entries were changed since last search. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
