On Thu, Jan 05, 2017 at 01:36:56PM +0000, James Harrison wrote:
> Hi all,I having problems with a FreeIPA client running Ububtu Xenial.
> I can authenticate OK, I get a kerberos ticket, but cannot run sudo.
> I get 1 rule returned, which I expect.
> Many thanks,James Harrison

I would check if (with the help of ldbsearch against the sssd cache or
with the help of the sudo logs) if the rule is really the one you are
expecting or if it's just the cn=defaults rule.

If it's just cn=defaults, then I would check if the rules are downloaded
(sssd always downloads all rules applicable for the host IIRC) or if
they just don't match the filter that you can see in the debug message
from sudosrv_get_sudorules_query_cache. Keep in mind that this is a
filter that applies for the sssd cache, not LDAP.

And lastly, if the rules are downloaded as expected, the sudo rules
would tell you why the rule didn't match.

All in all, this document:
describes how to troubleshoot the sudo integration.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to