<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office"><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_ym19_1_1483169570681_4879">I have followed troubleshooting procedure outlined here</div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr"><a href="http://www.freeipa.org/page/Troubleshooting#sudo_does_not_work_for_hostgroups" class="enhancr2_87896af0-8297-7b90-e5fb-d72957075f34" id="yui_3_16_0_ym19_1_1483169570681_5004">Troubleshooting - FreeIPA</a><br></div><div id="yui_3_16_0_ym19_1_1483169570681_5012"><br></div><div id="enhancr2_87896af0-8297-7b90-e5fb-d72957075f34" class="yahoo-link-enhancr-card ymail-preserve-class ymail-preserve-style" style="max-width:400px;font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;" contenteditable="false" data-url="http://www.freeipa.org/page/Troubleshooting#sudo_does_not_work_for_hostgroups" data-type="yenhancr" data-category="article" data-embed-url="" data-size="medium" dir="ltr"> <a href="http://www.freeipa.org/page/Troubleshooting#sudo_does_not_work_for_hostgroups" style="text-decoration:none !important; color: #000 !important;" class="yahoo-enhancr-cardlink" target="_blank" rel="noreferrer" id="yui_3_16_0_ym19_1_1483169570681_5029"> <table class="card-wrapper yahoo-ignore-table" cellpadding="0" cellspacing="0" border="0" style="max-width:400px;" id="yui_3_16_0_ym19_1_1483169570681_5028"> <tbody id="yui_3_16_0_ym19_1_1483169570681_5027"><tr id="yui_3_16_0_ym19_1_1483169570681_5026"> <td width="400" id="yui_3_16_0_ym19_1_1483169570681_5025"> <table class="card yahoo-ignore-table" cellpadding="0" cellspacing="0" border="0" width="100%" style="max-width:400px;" id="yui_3_16_0_ym19_1_1483169570681_5024"> <tbody id="yui_3_16_0_ym19_1_1483169570681_5023"><tr id="yui_3_16_0_ym19_1_1483169570681_5022"> <td class="card-primary-image-cell" style="background:#000 url('https://s.yimg.com/vv//api/res/1.2/1ofcRTApIgxk22ZtJkNJsA--/YXBwaWQ9bWFpbDtmaT1maWxsO2g9MjAwO3c9NDAw/http://www.freeipa.org/resources/assets/poweredby_mediawiki_88x31.png.cf.jpg') no-repeat center center;background-size:cover;height:200px;position:relative;" background="https://s.yimg.com/vv//api/res/1.2/1ofcRTApIgxk22ZtJkNJsA--/YXBwaWQ9bWFpbDtmaT1maWxsO2g9MjAwO3c9NDAw/http://www.freeipa.org/resources/assets/poweredby_mediawiki_88x31.png.cf.jpg" bgcolor="#000000" valign="top" id="yui_3_16_0_ym19_1_1483169570681_5021">  <table class="yahoo-ignore-table" cellpadding="0" cellspacing="0" border="0" valign="top" style="width:100%;" id="yui_3_16_0_ym19_1_1483169570681_5020"> <tbody id="yui_3_16_0_ym19_1_1483169570681_5019"><tr id="yui_3_16_0_ym19_1_1483169570681_5018"> <td style="background:transparent url('https://s.yimg.com/nq/storm/assets/enhancrV2/12/overlay-tile.png') repeat left top;height:200px;" background="https://s.yimg.com/nq/storm/assets/enhancrV2/12/overlay-tile.png" bgcolor="transparent" valign="top" id="yui_3_16_0_ym19_1_1483169570681_5017">  <table class="yahoo-ignore-table" height="185" style="width:100%;height:185px;min-height:185px;" id="yui_3_16_0_ym19_1_1483169570681_5016"> <tbody id="yui_3_16_0_ym19_1_1483169570681_5015"><tr id="yui_3_16_0_ym19_1_1483169570681_5014"> <td class="card-richInfo2" style="text-align:left;text-align:left;padding:15px 0 0 15px;vertical-align:top;"> </td> <td class="card-actions" style="text-align:right;padding:15px 15px 0 0;vertical-align:top;" id="yui_3_16_0_ym19_1_1483169570681_5013"> <div class="card-share-container"></div> </td> </tr> </tbody></table>  </td> </tr> </tbody></table> </td> </tr> <tr> <td> <table class="card-info yahoo-ignore-table" align="center" cellpadding="0" cellspacing="0" border="0" style="background:#fff;position:relative;z-index:2;width:95%;max-width:380px;border:1px solid #e0e4e9;border-bottom:3px solid #000000;margin-top:-40px;margin-left:auto;margin-right:auto;"> <tbody><tr> <td style="background-color:#ffffff;padding:16px 0 16px 12px;vertical-align:top;"> </td> <td style="vertical-align:middle;padding:16px 12px;width:99%;"> <h2 class="card-title" style="font-size: 16px; line-height:19px; margin:0 0 4px 0;font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;word-break:break-word;">Troubleshooting - FreeIPA</h2> <div class="card-description" style="font-size:11px;line-height:15px;color:#999;word-break:break-word;"></div> </td> <td style="text-align:right;padding:16px 12px 16px 0;"> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </a></div><div id="yui_3_16_0_ym19_1_1483169570681_5048"><br></div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr">Additionally I have done contrast and compare with a working server for the following files</div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr">/etc/hosts</div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr">/etc/resolv.conf</div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr">/etc/sudo-ldap.conf</div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr">/etc/krb5.conf</div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr">/etc/sssd.conf</div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr">/etc/nssswitch.conf</div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr">all are identical other than host specific information.</div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr">In addition I have also enabled debug_level in sssd.conf in all stanzas, but noticed that sudo log is not being generated.</div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr">I can however provide other logs.</div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr">I have also enabled sudo_debug=2 in /etc/sudo-ldap.conf</div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr">but not sure where to look for that log file.</div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr">A and PTR records exist for problematic servers in FreeIPA DNS.</div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr">As mentioned above the user-id can ssh just fine but not sudo for any command even though that id should be able to do ANY ANY.</div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr">I have checked the the user-id is in the correct sudo groups that are applied for the host-groups for broken servers.</div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr">To add to the oddity we somehow managed to fix the problem on several servers but as it was a lot blind trial and error we are not sure</div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr">what the corrective steps actually were. </div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr">Please let me know what else I can/should take a look at. I can also provide logs if needed.</div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1483169570681_4879" dir="ltr">thanks</div></div></body></html>