[Freeipa-users] sssd - sudo issues

[Dmitri Pal]

On 05/20/2013 12:33 PM, Duncan R. Green wrote:
> I ask upon thee, oh great ipa gurus...
>
> I've got ipa set up with sudo, and have it successfully working on
> several hosts.
>
> On one particular host, though, I'm having issues.
>
> SSSD seems to be working fine -- can ssh in as a user, can kinit, etc.
>
> However, when I try to use sudo, I immediately get
>
> ldap_sasl_bind_s(): Server is unwilling to perform
>
> and in /var/log/secure, I see
>
> May 20 17:20:07 SERVERNAME sudo: pam_unix(sudo:auth): authentication
> failure; logname=username uid=0 euid=0 tty=/dev/pts/0 ruser = rhost =
> user=username
>
> May 20 17:20:07 SERVERNAME sudo: pam_sss(sudo:auth): authentication
> success; logname=username uid=0 euid=0 tty=/dev/pts/0 ruser = rhost =
> user=username
>
> May 20 17:20:07 SERVERNAME sudo: username : user NOT in sudoers ;
> TTY=pts/0 ; PWD=/home/username ; USER=root ; COMMAND=/bin/vi /etc/rc.local
>
> ...any advice?
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Please turn on sudo debug and provide the debug output.
Also please look at the server side access logs, they might shed some
light on why the server is unwilling to perform.
What OS the client is? It might have an LDAP library that is out of date
or provides some control that server does not like or understands.
Also the authentication of the sudo connection might be not properly
configured.

Generally there is not enough info to give you more guidance, sorry.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130520/27a5fa5b/attachment.htm>