[Freeipa-users] Stuck getting sudo working with Ubuntu client
Lukas Slebodnik
lslebodn at redhat.com
Mon Apr 20 07:29:58 UTC 2015
On (19/04/15 12:51), Andrew Sacamano wrote:
>Thanks again Lukas,
>
>These turned out to be very helpful debugging suggestions, and were the
>critical part of getting the problem solved - the pointer to ldb-tools was
>extremely helpful in identifying where the issue was happening!
>
>With them, I was able to see the right sudo rules were being cached, and
>that the change from sudo working to sudo not working happened not because
>of the host, but because of the user, and in particular, the user being a
>listed explicitly, or only as part of a group. The user's groups were
>being listed in the user's entry in the cache, but not when running the
>"id" command. Some quick googling, and I discovered that in Ubuntu 14.04,
>the sssd option "enumerate" defaults to false, which meant that the group
>memberships were not taking effect, which meant that sudo rules based on
>membership in a group weren't working. Setting enumerate to true got
>everything working.
>
If you have a problem with "id" might be caused by
https://fedorahosted.org/sssd/ticket/2471
You can fix the bug with ammending configuration.
put ldap_group_object_class = ipaUserGroup
into domain section of sssd.conf
It should work even with disabled enumeration.
LS
More information about the Freeipa-users
mailing list