Hi Lukas,
sorry to say, but nothing helps.

I have just updated IPA server, so that now it is:
[root@svlxxipap ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)

with:
[root@svlxxipap ~]# rpm -qa|grep ipa
ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.17.x86_64
libipa_hbac-1.13.0-40.el7_2.9.x86_64
ipa-python-4.2.0-15.0.1.el7.centos.17.x86_64
ipa-server-dns-4.2.0-15.0.1.el7.centos.17.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64
sssd-ipa-1.13.0-40.el7_2.9.x86_64
ipa-admintools-4.2.0-15.0.1.el7.centos.17.x86_64
python-libipa_hbac-1.13.0-40.el7_2.9.x86_64
ipa-client-4.2.0-15.0.1.el7.centos.17.x86_64

I have also changed sudoers to sudo in sssd.conf as you suggested and
restarted sssd.
No difference, still:
[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo service sshd restart
[sudo] password for simecek.to...@sd-stc.cz:
simecek.to...@sd-stc.cz is not in the sudoers file.  This incident will be
reported.

I guess I will pilot some more IPA clients to make sure it works reliably
and if yes, I guess we will be able to live with the fact that older
Linuxes doe not offer sudo to AD clients.

Or do you think there is something more to try?

Thanks

T.

2016-07-14 13:32 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>:

> On (14/07/16 13:06), Tomas Simecek wrote:
> >Hi Lukas,
> >I did as you said.
> >Logs are attached to this mail.
> >
> Thank you very much for provided data.
>
> The main problem is that full refresh of sudo rules did not store any
> rules.
>
> It might be caused by following errors which might be caused by issues
> with old buggy IPA server on CentOS 7.0
>
> [ipa_s2n_save_objects] (0x2000): Updating memberships for
> borek.pa...@sd-stc.cz
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> [sysdb_update_members_ex] (0x0020): Could not add member [
> borek.pa...@sd-stc.cz] to group [name=acco...@sd-stc.cz,cn=groups,cn=
> sd-stc.cz,cn=sysdb]. Skipping.
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> [sysdb_update_members_ex] (0x0020): Could not add member [
> borek.pa...@sd-stc.cz] to group [name=borek.pa...@sd-stc.cz,cn=groups,cn=
> sd-stc.cz,cn=sysdb]. Skipping.
>
> Attached is a reduced log.
>
> You might try new feature in sssd-1.13 on el6 which will
> avoid using compat tree for sudo.
>
> Try to change ldap_sudo_search_base from
> ou=sudoers,dc=linuxdomain,dc=cz -> cn=sudo,dc=linuxdomain,dc=cz
>
> It does not mean that it will solve issue with extop plugin
> on IPA server (ipa_s2n_save_objects)
>
> If it does not help then please provide the same data as in previous mail.
> BTW I strogly suspect issues on IPA server on CentOS 7.0.
> It might work on CentOS 7.0 client only by chance.
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to