<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 05/20/2013 12:33 PM, Duncan R. Green wrote:
<blockquote
cite="mid:CAE5c9j_RZbTCcGcmtKPk1d2RfwR_LVKVjp1kt2JyW9DWszgUQQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>I ask upon thee, oh great ipa gurus...<br>
<br>
</div>
I've got ipa set up with sudo, and have it successfully
working on several hosts.<br>
<br>
On one particular host, though, I'm having issues.<br>
<br>
SSSD seems to be working fine -- can ssh in as a user,
can kinit, etc.<br>
<br>
</div>
However, when I try to use sudo, I immediately get <br>
<br>
</div>
ldap_sasl_bind_s(): Server is unwilling to perform<br>
<br>
and in /var/log/secure, I see<br>
<br>
</div>
May 20 17:20:07 SERVERNAME sudo: pam_unix(sudo:auth):
authentication failure; logname=username uid=0 euid=0
tty=/dev/pts/0 ruser = rhost = user=username<br>
<br>
May 20 17:20:07 SERVERNAME sudo: pam_sss(sudo:auth):
authentication success; logname=username uid=0 euid=0
tty=/dev/pts/0 ruser = rhost = user=username<br>
<br>
May 20 17:20:07 SERVERNAME sudo: username : user NOT in
sudoers ; TTY=pts/0 ; PWD=/home/username ; USER=root ;
COMMAND=/bin/vi /etc/rc.local<br>
<br>
</div>
...any advice?<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
Please turn on sudo debug and provide the debug output.<br>
Also please look at the server side access logs, they might shed
some light on why the server is unwilling to perform.<br>
What OS the client is? It might have an LDAP library that is out of
date or provides some control that server does not like or
understands.<br>
Also the authentication of the sudo connection might be not properly
configured.<br>
<br>
Generally there is not enough info to give you more guidance, sorry.<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>