Hi Lukas, sorry to say, but nothing helps. I have just updated IPA server, so that now it is: [root@svlxxipap ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core)
with: [root@svlxxipap ~]# rpm -qa|grep ipa ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.17.x86_64 libipa_hbac-1.13.0-40.el7_2.9.x86_64 ipa-python-4.2.0-15.0.1.el7.centos.17.x86_64 ipa-server-dns-4.2.0-15.0.1.el7.centos.17.x86_64 python-iniparse-0.4-9.el7.noarch ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64 sssd-ipa-1.13.0-40.el7_2.9.x86_64 ipa-admintools-4.2.0-15.0.1.el7.centos.17.x86_64 python-libipa_hbac-1.13.0-40.el7_2.9.x86_64 ipa-client-4.2.0-15.0.1.el7.centos.17.x86_64 I have also changed sudoers to sudo in sssd.conf as you suggested and restarted sssd. No difference, still: [[email protected]@zp-cml-test ~]$ sudo service sshd restart [sudo] password for [email protected]: [email protected] is not in the sudoers file. This incident will be reported. I guess I will pilot some more IPA clients to make sure it works reliably and if yes, I guess we will be able to live with the fact that older Linuxes doe not offer sudo to AD clients. Or do you think there is something more to try? Thanks T. 2016-07-14 13:32 GMT+02:00 Lukas Slebodnik <[email protected]>: > On (14/07/16 13:06), Tomas Simecek wrote: > >Hi Lukas, > >I did as you said. > >Logs are attached to this mail. > > > Thank you very much for provided data. > > The main problem is that full refresh of sudo rules did not store any > rules. > > It might be caused by following errors which might be caused by issues > with old buggy IPA server on CentOS 7.0 > > [ipa_s2n_save_objects] (0x2000): Updating memberships for > [email protected] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > [sysdb_update_members_ex] (0x0020): Could not add member [ > [email protected]] to group [[email protected],cn=groups,cn= > sd-stc.cz,cn=sysdb]. Skipping. > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > [sysdb_update_members_ex] (0x0020): Could not add member [ > [email protected]] to group [[email protected],cn=groups,cn= > sd-stc.cz,cn=sysdb]. Skipping. > > Attached is a reduced log. > > You might try new feature in sssd-1.13 on el6 which will > avoid using compat tree for sudo. > > Try to change ldap_sudo_search_base from > ou=sudoers,dc=linuxdomain,dc=cz -> cn=sudo,dc=linuxdomain,dc=cz > > It does not mean that it will solve issue with extop plugin > on IPA server (ipa_s2n_save_objects) > > If it does not help then please provide the same data as in previous mail. > BTW I strogly suspect issues on IPA server on CentOS 7.0. > It might work on CentOS 7.0 client only by chance. > > LS >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
