Thanks Simon, Is this a known issue? We're on Centos 7.2 and yes, the sssd version is 1.13
/tony On Tue, 2016-08-23 at 06:49 +0000, Simpson Lachlan wrote: > What version of sssd are you using? > > We found that it wouldn't work w sssd<1.14 > > On the IPA server, it would say "yep rule applies", but then on any > particular machine it wouldn't (well, it would - but only intermittently). > > There's a COPR repo for Centos7 if you aren't on Fedora/RedHat. > > Cheers > L. > > -----Original Message----- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Tony Brian Albers > Sent: Tuesday, 23 August 2016 4:24 PM > To: freeipa-users@redhat.com > Subject: [Freeipa-users] can't get sudo to work. > > Hi guys, > > I've been trying to get sudo to work for our day-to-day admin who have their > own usergroup in IPA called subadmin. > > For some reason I can't really get sudo to work, I suspect I am missing > something simple, but I can't really figure out what it is. > > This is my config: > > # ipa sudorule-find > ------------------- > 1 Sudo Rule matched > ------------------- > Rule name: All > Enabled: TRUE > Host category: all > Command category: all > User Groups: subadmin > ---------------------------- > Number of entries returned 1 > ---------------------------- > # > > > > > # ipa group-find subadmin > --------------- > 1 group matched > --------------- > Group name: subadmin > Description: For daily administration of users and hosts > GID: 10003 > Member users: abr-sadm, pmd-sadm, tba-sadm, bja-sadm, alberto-ibm > Roles: Sub-admins > Member of Sudo rule: All > ---------------------------- > Number of entries returned 1 > ---------------------------- > # > > > > > > And on a client: > > # cat /etc/sssd/sssd.conf > [domain/kac.lokalnet] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = kac.sblokalnet > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = kac-man-001.kac.lokalnet > chpass_provider = ipa > ipa_server = _srv_, kac-adm-001.kac.lokalnet ldap_tls_cacert = > /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default > krb5_renewable_lifetime = 50d krb5_renew_interval = 3600 [sssd] services = > nss, sudo, pam, autofs, ssh config_file_version = 2 > > domains = kac.lokalnet > [nss] > homedir_substring = /home > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > > > > > > > nsswitch.conf: > > passwd: files sss > shadow: files sss > group: files sss > #initgroups: files > > #hosts: db files nisplus nis dns > hosts: files dns myhostname > > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc: nisplus [NOTFOUND=return] files > #ethers: nisplus [NOTFOUND=return] files > #netmasks: nisplus [NOTFOUND=return] files > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files sss > > netgroup: files sss > > publickey: nisplus > > automount: sss files > aliases: files nisplus > sudoers: files sss > > > > > And for a subadmin account: > > -sh-4.2$ sudo -l > [sudo] password for tba-sadm: > Your password will expire in 6 day(s). > User tba-sadm is not allowed to run sudo on kac-man-001. > -sh-4.2$ > > > > Any suggestions? Help is much appreciated. > > TIA > > /tony > > -- > Best regards, > > Tony Albers > Systems administrator, IT-development > State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. > Tel: +45 8946 2316 > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > This email (including any attachments or links) may contain > confidential and/or legally privileged information and is > intended only to be read or used by the addressee. If you > are not the intended addressee, any use, distribution, > disclosure or copying of this email is strictly > prohibited. > Confidentiality and legal privilege attached to this email > (including any attachments) are not waived or lost by > reason of its mistaken delivery to you. > If you have received this email in error, please delete it > and notify us immediately by telephone or email. Peter > MacCallum Cancer Centre provides no guarantee that this > transmission is free of virus or that it has not been > intercepted or altered and will not be liable for any delay > in its receipt. > -- Best regards, Tony Albers Systems administrator, IT-development State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 8946 2316 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
