<html><body> Not sure it is the same as 14.X but I had to add the sudo in the list of services to sssd.conf as it was not put in by default. I am by no means an expert on it but my own personal experience with 14.x Sean Hogan <img width="16" height="16" src="cid:1__=88BB0A98DFF086AF8f9e8a93df938690918c88B@" border="0" alt="Inactive hide details for Jeff Goddard ---08/10/2016 10:52:31 AM---I've got a freeipa domain and many centos 7.2 clients. I als">Jeff Goddard ---08/10/2016 10:52:31 AM---I've got a freeipa domain and many centos 7.2 clients. I also have a sudo rule that allows member of From: Jeff Goddard <jgoddard@emerlyn.com> To: freeipa-users@redhat.com Date: 08/10/2016 10:52 AM Subject: [Freeipa-users] sudo rules question on ubuntu 16.0.1 Sent by: freeipa-users-bounces@redhat.com <hr width="100%" size="2" align="left" noshade style="color:#8091A5; "> I've got a freeipa domain and many centos 7.2 clients. I also have a sudo rule that allows member of the developer group sudo rights on virtual servers in the "development" group. This works great on the centos servers. However, I recently set up 3 ubuntu boxes, and added them to the IPA domain and then to the "development" group. My sudo rules fail. I've enabled debugging and I see in the /var/log/sssd/sssd_sudo.log that the clients connects to the server, identifies group memberships, and finally prints "returning 1 rules for [<a href="mailto:user@domain.com">user@domain.com</a>]. We only have the single rule so I can't figure out why it's not working. Can someone point me in the correct direction? Thanks, Jeff <tt>-- Manage your subscription for the Freeipa-users mailing list: </tt><tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></tt><tt> Go to </tt><tt><a href="http://freeipa.org">http://freeipa.org</a></tt><tt> for more info on the project</tt> </body></html>