On (05/01/17 15:38), Jakub Hrozek wrote:
>On Thu, Jan 05, 2017 at 01:36:56PM +0000, James Harrison wrote:
>> Hi all,I having problems with a FreeIPA client running Ububtu Xenial.
>> I can authenticate OK, I get a kerberos ticket, but cannot run sudo.
>> I get 1 rule returned, which I expect.
>> Many thanks,James Harrison
>
>I would check if (with the help of ldbsearch against the sssd cache or
>with the help of the sudo logs) if the rule is really the one you are
>expecting or if it's just the cn=defaults rule.
>
>If it's just cn=defaults, then I would check if the rules are downloaded
>(sssd always downloads all rules applicable for the host IIRC) or if
>they just don't match the filter that you can see in the debug message
>from sudosrv_get_sudorules_query_cache. Keep in mind that this is a
>filter that applies for the sssd cache, not LDAP.
>
>And lastly, if the rules are downloaded as expected, the sudo rules
>would tell you why the rule didn't match.
>
>All in all, this document:
>    https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>describes how to troubleshoot the sudo integration.
>
Or you might check older thread
https://www.redhat.com/archives/freeipa-users/2016-August/msg00489.html

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to