Sean, Thanks for the reply. I don't think that's my problem but I'm posting a redacted copy of the sssd.conf file for review below.
[domain/domain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = domain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = docker-dev-01.domain.com chpass_provider = ipa ipa_server = _srv_, server.domain.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level=7 [sssd] services = nss, sudo, pam, ssh debug_level=7 domains = domain.com [nss] homedir_substring = /home [pam] [sudo] debug_level=7 [autofs] [ssh] [pac] [ifp] Jeff On Wed, Aug 10, 2016 at 2:04 PM, Sean Hogan <scho...@us.ibm.com> wrote: > Not sure it is the same as 14.X but I had to add the sudo in the list of > services to sssd.conf as it was not put in by default. I am by no means an > expert on it but my own personal experience with 14.x > > > > Sean Hogan > > > > > > [image: Inactive hide details for Jeff Goddard ---08/10/2016 10:52:31 > AM---I've got a freeipa domain and many centos 7.2 clients. I als]Jeff > Goddard ---08/10/2016 10:52:31 AM---I've got a freeipa domain and many > centos 7.2 clients. I also have a sudo rule that allows member of > > From: Jeff Goddard <jgodd...@emerlyn.com> > To: email@example.com > Date: 08/10/2016 10:52 AM > Subject: [Freeipa-users] sudo rules question on ubuntu 16.0.1 > Sent by: freeipa-users-boun...@redhat.com > ------------------------------ > > > > I've got a freeipa domain and many centos 7.2 clients. I also have a sudo > rule that allows member of the developer group sudo rights on virtual > servers in the "development" group. This works great on the centos servers. > However, I recently set up 3 ubuntu boxes, and added them to the IPA domain > and then to the "development" group. My sudo rules fail. I've enabled > debugging and I see in the /var/log/sssd/sssd_sudo.log that the clients > connects to the server, identifies group memberships, and finally prints > "returning 1 rules for [*u...@domain.com* <u...@domain.com>]. We only > have the single rule so I can't figure out why it's not working. Can > someone point me in the correct direction? > > Thanks, > > Jeff > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project