[Freeipa-users] Stuck getting sudo working with Ubuntu client
Dmitri Pal
dpal at redhat.com
Sun Apr 19 23:07:43 UTC 2015
On 04/19/2015 02:51 PM, Andrew Sacamano wrote:
> Thanks again Lukas,
>
> These turned out to be very helpful debugging suggestions, and were
> the critical part of getting the problem solved - the pointer to
> ldb-tools was extremely helpful in identifying where the issue was
> happening!
>
> With them, I was able to see the right sudo rules were being cached,
> and that the change from sudo working to sudo not working happened not
> because of the host, but because of the user, and in particular, the
> user being a listed explicitly, or only as part of a group. The
> user's groups were being listed in the user's entry in the cache, but
> not when running the "id" command. Some quick googling, and I
> discovered that in Ubuntu 14.04, the sssd option "enumerate" defaults
> to false, which meant that the group memberships were not taking
> effect, which meant that sudo rules based on membership in a group
> weren't working. Setting enumerate to true got everything working.
Enumerate is generally discouraged.
The fact that enumeration helped means that something was not correct in
the cache.
It seems it just masked the issue not solved it.
>
> Many thanks again!
>
> -Andrew
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150419/29b98e48/attachment.htm>
More information about the Freeipa-users
mailing list