<div dir="ltr">Hi Dmitri,<div><br></div><div>One follow up question about the management of the SSSD local cache. I've tried to clean cache entries with the sss_cache utility, but it looks like this utility is not working. I was able to confirm with ldbsearch that records for specific entries were not removed from the cache. </div>
<div><br></div><div>This seems to be a bug. I can use ldpdel with a restart of the SSSD daemon, but just wanted to confirm with you. I suspect you would know more about this problem. Unfortunately I wasn't able to find any info yet about this potential bug.</div>
<div><br></div><div>thanks</div>
<div><br></div><div>Dimitar</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Dec 17, 2013 at 10:40 PM, Dimitar Georgievski <span dir="ltr"><<a href="mailto:mitkany@gmail.com" target="_blank">mitkany@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks Dmitri. Those settings for ldap in sssd.conf fixed the issue. <span class="HOEnZb"><font color="#888888"><div>
<br></div><div>Dimitar</div></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Dec 17, 2013 at 6:47 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div><div>
On 12/17/2013 06:34 PM, Dimitar Georgievski wrote:
</div></div><blockquote type="cite"><div><div>
<div dir="ltr">Hi,
<div><br>
</div>
<div>I am running FreeIPA 3.3.3 on CentOS 6.5. Everything works
fine except that I have problem enforcing sudo policies on the
hosts that are part of the managed domain. </div>
<div><br>
</div>
<div>When trying to run the following simple command as a user
managed by FreeIPA I got the following response:</div>
<div><br>
</div>
<div><i>> sudo /usr/bin/vim test.txt<br>
</i></div>
<div><i>jsmith is not allowed to run sudo on myhost. This
incident will be reported.</i></div>
<div><i><br>
</i></div>
<div><i> </i>I might have missed in the configuration of the
serve or SSSD on the client host.</div>
<div><br>
</div>
<div>Is there any guideline for sudo integration with FreeIPA?</div>
<div><br>
</div>
<div>
The following is the SSSD configuration on the client host:</div>
<div><br>
</div>
<div>
<div>
<div>[domain/<a href="http://example.net" target="_blank">example.net</a>]</div>
<div><br>
</div>
<div>cache_credentials = True</div>
<div>krb5_store_password_if_offline = True</div>
<div>ipa_domain = <a href="http://example.net" target="_blank">example.net</a></div>
<div>id_provider = ipa</div>
<div>auth_provider = ipa</div>
<div>access_provider = ipa</div>
<div>sudo_provider = ldap</div>
<div>ldap_tls_cacert = /etc/ipa/ca.crt</div>
<div>ipa_hostname = <a href="http://ipaserver.example.net" target="_blank">ipaserver.example.net</a></div>
<div>chpass_provider = ipa</div>
<div>ipa_server = _srv_</div>
<div>ipa_backup_server = <a href="http://replica.example.net" target="_blank">replica.example.net</a></div>
<div><br>
</div>
<div><br>
</div>
<div>dns_discovery_domain = <a href="http://example.net" target="_blank">example.net</a></div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>[sssd]</div>
<div>services = nss, pam, ssh, sudo</div>
<div>config_file_version = 2</div>
<div><br>
</div>
<div>domains = <a href="http://example.net" target="_blank">example.net</a></div>
<div>[nss]</div>
<div><br>
</div>
<div>[pam]</div>
<div><br>
</div>
<div>[sudo]</div>
<div>debug_level = 0x3ff0</div>
<div><br>
</div>
<div>[autofs]</div>
<div><br>
</div>
<div>[ssh]</div>
<div><br>
</div>
<div>[pac]</div>
</div>
</div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>Dimitar</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<a href="http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf" target="_blank">http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf</a><span><font color="#888888"><br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</font></span></div>
<br>_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>