We are seeing the same problem (correct group membership; matching HBAC rules retrieved by sssd and rejected by sudo) on a new Ubuntu 16.04 client joining a realm of existing (and working) Ubuntu 15.10 hosts, despite identical "/etc/sssd/sssd.conf" files.
Master:
root@hades:~# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=15.10
DISTRIB_CODENAME=wily
DISTRIB_DESCRIPTION="Ubuntu 15.10"
root@hades:~# ipa --version
VERSION: 4.1.4, API_VERSION: 2.114
Existing (working) client:
root@orange1:~# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=15.10
DISTRIB_CODENAME=wily
DISTRIB_DESCRIPTION="Ubuntu 15.10"
root@orange1:~# ipa-client-install --version
4.1.4
root@orange1:~# sssd --version
1.12.5
New (broken) client:
root@orange4:~# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"
root@orange4:~# ipa-client-install --version
4.3.1
root@orange4:~# sssd --version
1.13.4
I too would be grateful for any advice. The relevant parts of our logs
corroborate what John has reported in this thread, but I can provide
excerpts if that would be helpful.
--- Cory.
--
Cory Myers
Systems Engineer
Trinity Mobile Networks
pgpX5YwGdSuZp.pgp
Description: PGP signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
