I looked in the sudo_debug log and found the following line:
Mar  7 11:00:08 sudo[31293] <- new_logline @ ./logging.c:867 := user NOT 
authorized on host ; TTY=pts/1 ; PWD=/home/<DOMAIN>/f.zoske ; USER=root ; 

On our IPA-Server I have following rules:

Name: allow_all_admins
Who: Group: admins
Accessing: Any Host
Via Service: Any Service

Name: allow_all_all
Who: Group: admins
Access this host: Any Host
Run Commands: Any Command
As Whom: Anyone

In our setup I have AD-Trust established to a multi domain forest and in our 
sssd.conf I had to adjust the UPN via the following lines (suggested by Jakub):
subdomain_inherit = ldap_user_principal 
ldap_user_principal = nosuchattr

Is anything of this related to the problem?
Shall I send you the log files of sssd and sudo?

Best regards,

-----Ursprüngliche Nachricht-----
Von: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Gesendet: Montag, 7. März 2016 09:55
An: Zoske, Fabian
Cc: freeipa-users@redhat.com
Betreff: Re: [Freeipa-users] SSSD does not fetch Sudo Rules anymore

On Mon, 07 Mar 2016, Zoske, Fabian wrote:
>Thank you for your explanation.
>I looked in the sssd_<DOMAIN>.log and found the actual LDAP-Filter.
>The problem seems to be the first part again: 
>In the LDAP-Tree I can't see any attribute named entryUSN.
>Is this related to the problem?
No, it is not. entryUSN is an attribute that is not stored in the entry, it is 
a feature that adds a monotonically increased value to any update of an entry. 
It is used to check whether entries were changed since last search.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to