<div dir="ltr">Hi Dmitri,<div><br></div><div>One follow up question about the management of the SSSD local cache. I've tried to clean cache entries with the sss_cache utility, but it looks like this utility is not working. I was able to confirm with ldbsearch that records for specific entries were not removed from the cache. </div> <div><br></div><div>This seems to be a bug. I can use ldpdel with a restart of the SSSD daemon, but just wanted to confirm with you. I suspect you would know more about this problem. Unfortunately I wasn't able to find any info yet about this potential bug.</div> <div><br></div><div>thanks</div> <div><br></div><div>Dimitar</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Dec 17, 2013 at 10:40 PM, Dimitar Georgievski <span dir="ltr"><<a href="mailto:mitkany@gmail.com" target="_blank">mitkany@gmail.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks Dmitri. Those settings for ldap in sssd.conf fixed the issue. <span class="HOEnZb"><font color="#888888"><div> <br></div><div>Dimitar</div></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Dec 17, 2013 at 6:47 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"><div><div> On 12/17/2013 06:34 PM, Dimitar Georgievski wrote: </div></div><blockquote type="cite"><div><div> <div dir="ltr">Hi, <div><br> </div> <div>I am running FreeIPA 3.3.3 on CentOS 6.5. Everything works fine except that I have problem enforcing sudo policies on the hosts that are part of the managed domain. </div> <div><br> </div> <div>When trying to run the following simple command as a user managed by FreeIPA I got the following response:</div> <div><br> </div> <div><i>> sudo /usr/bin/vim test.txt<br> </i></div> <div><i>jsmith is not allowed to run sudo on myhost. This incident will be reported.</i></div> <div><i><br> </i></div> <div><i> </i>I might have missed in the configuration of the serve or SSSD on the client host.</div> <div><br> </div> <div>Is there any guideline for sudo integration with FreeIPA?</div> <div><br> </div> <div> The following is the SSSD configuration on the client host:</div> <div><br> </div> <div> <div> <div>[domain/<a href="http://example.net" target="_blank">example.net</a>]</div> <div><br> </div> <div>cache_credentials = True</div> <div>krb5_store_password_if_offline = True</div> <div>ipa_domain = <a href="http://example.net" target="_blank">example.net</a></div> <div>id_provider = ipa</div> <div>auth_provider = ipa</div> <div>access_provider = ipa</div> <div>sudo_provider = ldap</div> <div>ldap_tls_cacert = /etc/ipa/ca.crt</div> <div>ipa_hostname = <a href="http://ipaserver.example.net" target="_blank">ipaserver.example.net</a></div> <div>chpass_provider = ipa</div> <div>ipa_server = _srv_</div> <div>ipa_backup_server = <a href="http://replica.example.net" target="_blank">replica.example.net</a></div> <div><br> </div> <div><br> </div> <div>dns_discovery_domain = <a href="http://example.net" target="_blank">example.net</a></div> <div><br> </div> <div><br> </div> <div><br> </div> <div>[sssd]</div> <div>services = nss, pam, ssh, sudo</div> <div>config_file_version = 2</div> <div><br> </div> <div>domains = <a href="http://example.net" target="_blank">example.net</a></div> <div>[nss]</div> <div><br> </div> <div>[pam]</div> <div><br> </div> <div>[sudo]</div> <div>debug_level = 0x3ff0</div> <div><br> </div> <div>[autofs]</div> <div><br> </div> <div>[ssh]</div> <div><br> </div> <div>[pac]</div> </div> </div> <div><br> </div> <div>Thanks,</div> <div><br> </div> <div>Dimitar</div> </div> <br> <fieldset></fieldset> <br> </div></div><pre>_______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> <a href="http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf" target="_blank">http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf</a><span><font color="#888888"><br> <br> <pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> </pre> </font></span></div> <br>_______________________________________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></blockquote></div><br></div> </div></div></blockquote></div><br></div>