On Sat, Dec 31, 2016 at 07:43:20AM +0000, pgb205 wrote:
> I have followed troubleshooting procedure outlined hereTroubleshooting - 
> FreeIPA
> |  
> |   
> |   
> |   |    |
>    |
>   |
> |  
> |   |  
> Troubleshooting - FreeIPA
>    |   |
>   |
>   |
> Additionally I have done contrast and compare with a working server for the 
> following 
> files/etc/hosts/etc/resolv.conf/etc/sudo-ldap.conf/etc/krb5.conf/etc/sssd.conf/etc/nssswitch.conf
> all are identical other than host specific information.
> In addition I have also enabled debug_level in sssd.conf in all stanzas, but 
> noticed that sudo log is not being generated.I can however provide other logs.
> I have also enabled sudo_debug=2 in /etc/sudo-ldap.confbut not sure where to 
> look for that log file.
> A and PTR records exist for problematic servers in FreeIPA DNS.
> As mentioned above the user-id can  ssh just fine but not sudo for any 
> command even though that id should be able to do ANY ANY.
> I have checked the the user-id is in the correct sudo groups that are applied 
> for the host-groups for broken servers.
> To add to the oddity we somehow managed to fix the problem on several servers 
> but as it was a lot blind trial and error we are not surewhat the corrective 
> steps actually were. 
> Please let me know what else I can/should take a look at. I can also provide 
> logs if needed.
> thanks

If the sudo log is not being generated at all, then I would assume that
sudo is not talking to sssd at all. Did you check the sudo logs (the
logs of the sudo binary, not the sssd-sudo responder) already?

The howto is here:

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to