On (05/01/17 15:38), Jakub Hrozek wrote: >On Thu, Jan 05, 2017 at 01:36:56PM +0000, James Harrison wrote: >> Hi all,I having problems with a FreeIPA client running Ububtu Xenial. >> I can authenticate OK, I get a kerberos ticket, but cannot run sudo. >> I get 1 rule returned, which I expect. >> Many thanks,James Harrison > >I would check if (with the help of ldbsearch against the sssd cache or >with the help of the sudo logs) if the rule is really the one you are >expecting or if it's just the cn=defaults rule. > >If it's just cn=defaults, then I would check if the rules are downloaded >(sssd always downloads all rules applicable for the host IIRC) or if >they just don't match the filter that you can see in the debug message >from sudosrv_get_sudorules_query_cache. Keep in mind that this is a >filter that applies for the sssd cache, not LDAP. > >And lastly, if the rules are downloaded as expected, the sudo rules >would tell you why the rule didn't match. > >All in all, this document: > https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO >describes how to troubleshoot the sudo integration. > Or you might check older thread https://www.redhat.com/archives/freeipa-users/2016-August/msg00489.html
LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
