On Sat, Dec 31, 2016 at 07:43:20AM +0000, pgb205 wrote: > I have followed troubleshooting procedure outlined hereTroubleshooting - > FreeIPA > > > | > | > | > | | | > > | > > | > | > | | > Troubleshooting - FreeIPA > | | > > | > > | > > > Additionally I have done contrast and compare with a working server for the > following > files/etc/hosts/etc/resolv.conf/etc/sudo-ldap.conf/etc/krb5.conf/etc/sssd.conf/etc/nssswitch.conf > all are identical other than host specific information. > In addition I have also enabled debug_level in sssd.conf in all stanzas, but > noticed that sudo log is not being generated.I can however provide other logs. > I have also enabled sudo_debug=2 in /etc/sudo-ldap.confbut not sure where to > look for that log file. > A and PTR records exist for problematic servers in FreeIPA DNS. > As mentioned above the user-id can ssh just fine but not sudo for any > command even though that id should be able to do ANY ANY. > I have checked the the user-id is in the correct sudo groups that are applied > for the host-groups for broken servers. > To add to the oddity we somehow managed to fix the problem on several servers > but as it was a lot blind trial and error we are not surewhat the corrective > steps actually were. > Please let me know what else I can/should take a look at. I can also provide > logs if needed. > thanks
If the sudo log is not being generated at all, then I would assume that sudo is not talking to sssd at all. Did you check the sudo logs (the logs of the sudo binary, not the sssd-sudo responder) already? The howto is here: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project