Hello, Below my configuration and errors :)
(I've adapted some strings for the sake of example - domain is not real) cat /etc/sssd/sssd.conf [sssd] services = nss, pam,ssh, sudo debug_level = 0x7FFF domains = LDAP_MY.COM [sudo] debug_level = 0x3ff0 [domain/LDAP_MY.COM] debug_level = 0x3ff0 access_provider = ldap id_provider = ldap sudo_provider = ldap ldap_uri = ldap://<IP> ldap_default_bind_dn = <user>@my.com ldap_default_authtok = <password> ldap_sudo_search_base = OU=SUDOers,DC=my,DC=com /etc/nsswitch.conf ... sudoers: sss files .... ldbsearch -H /var/lib/sss/db/cache_LDAP_MY.COM/ldb contains Microsoft AD records: # record 2 dn: name=r2,cn=sudorules,cn=custom,cn=LDAP_MY.COM,cn=sysdb cn: r2 dataExpireTimestamp: 1561891358 entryUSN: 245385 name: r2 objectClass: sudoRule originalDN: CN=r2,OU=SUDOers,DC=my,DC=com sudoCommand: ALL sudoHost: ALL sudoOption: !authenticate sudoUser: [email protected] distinguishedName: name=r2,cn=sudorules,cn=custom,cn=LDAP_MY.COM, cn=sysdb AD sudoRole is sudoRule in local SSSD DB cache. But getting this below when trying to test 'sudo -l' or 'sudo su' [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 rules for [[email protected]@my.com] from /var/log/sssd/sssd_sudo.log Duplicate domain ? I can see the rules been updated in the SSSD cache file from Microsoft AD. But I cannot use them because maybe some misconfiguration ? setup for sudo logs: /etc/sudo.conf and put down the following lines: Debug sudo /var/log/sudo_debug all@debug Debug sudoers.so /var/log/sudo_debug all@debug from /var/log/sudo_debug I have this: ... user_in_group: user [email protected] NOT in group sudo ... Thx a lot! Cheers! _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
