And indeed the compat tree was disabled. Guess I forgot to reenable it after copying the db to a testing environment.
Thanks guys, sudo is working fine now. /tony On Tue, 2016-08-23 at 10:13 -0400, Rob Crittenden wrote: > Pavel Březina wrote: > > On 08/23/2016 01:55 PM, Tony Brian Albers wrote: > >> Here you are: > >> > >> > >> [root ~]# ldapsearch -Y GSSAPI -b $dc > >> '(ou=*)' -s onelevel > > > >> # profile, $domain > >> dn: ou=profile,$dc > >> objectClass: top > >> objectClass: organizationalUnit > >> ou: profiles > >> ou: profile > >> > >> # search result > >> search: 4 > >> result: 0 Success > >> > >> # numResponses: 2 > >> # numEntries: 1 > > > > > > Sudo rules are not downloaded by SSSD because ou=sudoers is missing on > > the IPA server, or it may have incorrect ACL. Does someone from IPA team > > know why? > > Perhaps the compat tree is disabled: > > $ ipa-compat-manage status > > rob > > -- Best regards, Tony Albers Systems administrator, IT-development State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 8946 2316 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project