[Freeipa-users] Best place to start debugging sudo issue
Bret Wortman
bret.wortman at damascusgrp.com
Tue Oct 1 14:58:11 UTC 2013
Thanks. In this case, on a lark, I compared the sizes of the ca.crt file
between the working and nonworking nodes and there was a 4 byte difference.
Copying over the working copy to the nonworking node got things flowing
again. I'm filing these notes in my nv stack for later reference, though.
Thanks, Rob.
*
*
*Bret Wortman*
http://damascusgrp.com/
http://about.me/wortmanbret
On Tue, Oct 1, 2013 at 10:53 AM, Rob Crittenden <rcritten at redhat.com> wrote:
> Bret Wortman wrote:
>
>> One some of my nodes, attempting to sudo yields this:
>>
>> $ sudo su -
>> sudo: ldap_start_tls_s(): Connect error
>> [sudo] password for bretw:
>>
>> When the policy for my account is set up for !authenticate on all systems.
>>
>> On my own workstation, and most of our systems, it works just fine. But
>> on a few, this is happening. What's the best way to start debugging
>> this? I'm not looking for someone to do the work for me, but some
>> pointers to the right logfiles or extra flags would be helpful.
>>
>
> Add 'sudoers_debug: 2' to the sudo ldap configuration file.
>
> Check the DS access log on the IPA server this connects to for SSL errors.
>
> You should have these set:
>
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
>
> rob
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131001/793f4302/attachment.htm>
More information about the Freeipa-users
mailing list