<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8"> <META NAME="GENERATOR" CONTENT="GtkHTML/4.6.6"> </HEAD> <BODY> On Mon, 2013-09-09 at 11:29 +0200, Pavel Březina wrote: <BLOCKQUOTE TYPE=CITE> <PRE> On 09/08/2013 11:11 PM, Jakub Hrozek wrote: > On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote: >> On Sat, 2013-09-07 at 19:35 -0400, Dmitri Pal wrote: >> >>> On 09/07/2013 02:11 PM, Christian Horn wrote: >>>> On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote: >>>>> Are [1] and[2] still the current and best sources of information for >>>>> configuring sudo for use with the current release of FreeIPA on Fedora >>>>> 19? >>>>> >>>>> 1. >>>>> <A HREF="http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html">http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html</A> >>>>> 2. >>>>> <A HREF="http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf">http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf</A> >>>> There is also the Identity_Management_Guide as part of the RHEL >>>> product documentation: >>>> <A HREF="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html</A> >>> This and the pdf above are the latest word in this area. >>> >>>> Christian >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> <A HREF="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</A> >>>> <A HREF="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</A> >>> >>> >> >> Some sudo rules are causing: >> >> [dean@desktop2 ~]$ sudo id >> sudo: internal error, tried to erealloc3(0) > > This is a known bug: > <A HREF="https://bugzilla.redhat.com/show_bug.cgi?id=1000389">https://bugzilla.redhat.com/show_bug.cgi?id=1000389</A> > > I think the sudo rules are just missing the sudoHost attribute. > >> >> , but others do not. In the trial and error process of determining >> which rule specifications are causing the error, I have been restarting >> the virtual machine I am using as the sudo client between tests. Is >> there a better way to clear the SSSD cache between trials to make sure I >> am testing the most recent rule change? > > Unfortunately right now the only way is to rm the sssd cache which would > also remove any cached credentials. You don't necessarily have to remove the cache. If you just restart SSSD the rules will be refreshed in approximately 15 seconds. </PRE> </BLOCKQUOTE> Ah! Thank you. I will try to remember that for the next time I have to debug rules <BLOCKQUOTE TYPE=CITE> <PRE> I thought there was an RFE open to > track the enhancement to make sss_cache invalidate and refresh sudo > rules, but I can't find it now in the SSSD trac, so I filed another one: > <A HREF="https://fedorahosted.org/sssd/ticket/2081">https://fedorahosted.org/sssd/ticket/2081</A> > > Worst case, we mark it as a duplicate. > > _______________________________________________ > Freeipa-users mailing list > <A HREF="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</A> > <A HREF="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</A> > _______________________________________________ Freeipa-users mailing list <A HREF="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</A> <A HREF="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</A> </PRE> </BLOCKQUOTE> </BODY> </HTML>