<div dir="ltr">Not sure if it's related or not but I also reported an instance of similar behavior of this on Ubuntu 16.0.1 <div class="gmail_extra"> <div class="gmail_quote">On Tue, Aug 23, 2016 at 2:24 AM, Tony Brian Albers <<a href="mailto:tba@statsbiblioteket.dk" target="_blank">tba@statsbiblioteket.dk</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi guys, I've been trying to get sudo to work for our day-to-day admin who have their own usergroup in IPA called subadmin. For some reason I can't really get sudo to work, I suspect I am missing something simple, but I can't really figure out what it is. This is my config: # ipa sudorule-find ------------------- 1 Sudo Rule matched ------------------- Rule name: All Enabled: TRUE Host category: all Command category: all User Groups: subadmin ---------------------------- Number of entries returned 1 ---------------------------- # # ipa group-find subadmin --------------- 1 group matched --------------- Group name: subadmin Description: For daily administration of users and hosts GID: 10003 Member users: abr-sadm, pmd-sadm, tba-sadm, bja-sadm, alberto-ibm Roles: Sub-admins Member of Sudo rule: All ---------------------------- Number of entries returned 1 ---------------------------- # And on a client: # cat /etc/sssd/sssd.conf [domain/kac.lokalnet] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = kac.sblokalnet id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = kac-man-001.kac.lokalnet chpass_provider = ipa ipa_server = _srv_, kac-adm-001.kac.lokalnet ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default krb5_renewable_lifetime = 50d krb5_renew_interval = 3600 [sssd] services = nss, sudo, pam, autofs, ssh config_file_version = 2 domains = kac.lokalnet [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] nsswitch.conf: passwd: files sss shadow: files sss group: files sss #initgroups: files #hosts: db files nisplus nis dns hosts: files dns myhostname # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: sss files aliases: files nisplus sudoers: files sss And for a subadmin account: -sh-4.2$ sudo -l [sudo] password for tba-sadm: Your password will expire in 6 day(s). User tba-sadm is not allowed to run sudo on kac-man-001. -sh-4.2$ Any suggestions? Help is much appreciated. TIA /tony -- Best regards, Tony Albers Systems administrator, IT-development State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: <a href="tel:%2B45%208946%202316" value="+4589462316">+45 8946 2316</a> -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project </blockquote></div> </div><div class="gmail_extra">Jeff </div></div>