Sean,

Thanks for the reply. I don't think that's my problem but I'm posting a
redacted copy of the sssd.conf file for review below.


[domain/domain.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = domain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = docker-dev-01.domain.com
chpass_provider = ipa
ipa_server = _srv_, server.domain.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level=7
[sssd]
services = nss, sudo, pam, ssh
debug_level=7
domains = domain.com
[nss]
homedir_substring = /home

[pam]

[sudo]
debug_level=7
[autofs]

[ssh]

[pac]

[ifp]

Jeff

On Wed, Aug 10, 2016 at 2:04 PM, Sean Hogan <scho...@us.ibm.com> wrote:

> Not sure it is the same as 14.X but I had to add the sudo in the list of
> services to sssd.conf as it was not put in by default. I am by no means an
> expert on it but my own personal experience with 14.x
>
>
>
> Sean Hogan
>
>
>
>
>
> [image: Inactive hide details for Jeff Goddard ---08/10/2016 10:52:31
> AM---I've got a freeipa domain and many centos 7.2 clients. I als]Jeff
> Goddard ---08/10/2016 10:52:31 AM---I've got a freeipa domain and many
> centos 7.2 clients. I also have a sudo rule that allows member of
>
> From: Jeff Goddard <jgodd...@emerlyn.com>
> To: freeipa-users@redhat.com
> Date: 08/10/2016 10:52 AM
> Subject: [Freeipa-users] sudo rules question on ubuntu 16.0.1
> Sent by: freeipa-users-boun...@redhat.com
> ------------------------------
>
>
>
> I've got a freeipa domain and many centos 7.2 clients. I also have a sudo
> rule that allows member of the developer group sudo rights on virtual
> servers in the "development" group. This works great on the centos servers.
> However, I recently set up 3 ubuntu boxes, and added them to the IPA domain
> and then to the "development" group. My sudo rules fail. I've enabled
> debugging and I see in the /var/log/sssd/sssd_sudo.log that the clients
> connects to the server, identifies group memberships, and finally prints
> "returning 1 rules for [*u...@domain.com* <u...@domain.com>]. We only
> have the single rule so I can't figure out why it's not working. Can
> someone point me in the correct direction?
>
> Thanks,
>
> Jeff
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to