On Mon, 07 Mar 2016, Zoske, Fabian wrote:
Hi,

I looked in the sudo_debug log and found the following line:
Mar  7 11:00:08 sudo[31293] <- new_logline @ ./logging.c:867 := user NOT authorized 
on host ; TTY=pts/1 ; PWD=/home/<DOMAIN>/f.zoske ; USER=root ; COMMAND=/bin/bash

On our IPA-Server I have following rules:

HBAC:
Name: allow_all_admins
Who: Group: admins
Accessing: Any Host
Via Service: Any Service

SUDO:
Name: allow_all_all
Who: Group: admins
Access this host: Any Host
Run Commands: Any Command
As Whom: Anyone

In our setup I have AD-Trust established to a multi domain forest and in our 
sssd.conf I had to adjust the UPN via the following lines (suggested by Jakub):
subdomain_inherit = ldap_user_principal
ldap_user_principal = nosuchattr

Is anything of this related to the problem?
Shall I send you the log files of sssd and sudo?
Off-list, please.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to