I must have made an error again: - ipa hbactest gives seemingly correct answer on both server and client - user can't actually use sudo on client?
Centos 7, freeipa 4.2.o/2.156; sssd 1.14.1 from COPR >From the server: [root@vmdv-linuxidm1 ~]# ipa hbactest --user=lsimp...@petermac.org.au --host=vmts-linuxclient1.unixdev.petermac.org.au --service=sudo -------------------- Access granted: True -------------------- Matched rules: Cluster Admin Users (sudo) Not matched rules: Cluster Users [root@vmdv-linuxidm1 ~]# >From the host in question: [root@vmts-linuxclient1 ~]# ipa hbactest --user lsimp...@petermac.org.au --host `hostname` --service sudo -------------------- Access granted: True -------------------- Matched rules: Cluster Admin Users (sudo) Not matched rules: Cluster Users [root@vmts-linuxclient1 ~]# [lsimp...@petermac.org.au@vmts-linuxclient1 ~]$ sudo reboot [sudo] password for lsimp...@petermac.org.au: lsimp...@petermac.org.au is not allowed to run sudo on vmts-linuxclient1. This incident will be reported. On the client, in the sssd_sudo.log I can see (debug_level=6) a number of lines, most notably three that start "Searching sysdb with" and then follow with all my ipa and AD groups - both groups that would give me HBAC sudo are listed in those log entries. What should I try next? cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project