[Freeipa-users] Stuck getting sudo working with Ubuntu client
Andrew Sacamano
asacamano at gmail.com
Mon Apr 20 23:54:41 UTC 2015
Thanks again, Lukas!
I was wondering if the overlaps of names was a problem, so I redid parts of
my IPA setup to rename them - thanks for pointing out the ticket!
Also, your suggestion to use ldap_group_object_class = ipaUserGroup worked
- which saves me the trouble of tracking that down in six months when my
IPA domain grows and the performance issues associated with enumerate begin
to manifest.
Many thanks - you are extraordinarily helpful. My colleagues and I are
quite grateful for all your advice!
Thanks again,
Andrew
On Mon, Apr 20, 2015 at 1:29 AM, Lukas Slebodnik <lslebodn at redhat.com>
wrote:
> On (19/04/15 12:51), Andrew Sacamano wrote:
> >Thanks again Lukas,
> >
> >These turned out to be very helpful debugging suggestions, and were the
> >critical part of getting the problem solved - the pointer to ldb-tools was
> >extremely helpful in identifying where the issue was happening!
> >
> >With them, I was able to see the right sudo rules were being cached, and
> >that the change from sudo working to sudo not working happened not because
> >of the host, but because of the user, and in particular, the user being a
> >listed explicitly, or only as part of a group. The user's groups were
> >being listed in the user's entry in the cache, but not when running the
> >"id" command. Some quick googling, and I discovered that in Ubuntu 14.04,
> >the sssd option "enumerate" defaults to false, which meant that the group
> >memberships were not taking effect, which meant that sudo rules based on
> >membership in a group weren't working. Setting enumerate to true got
> >everything working.
> >
> If you have a problem with "id" might be caused by
> https://fedorahosted.org/sssd/ticket/2471
>
> You can fix the bug with ammending configuration.
> put ldap_group_object_class = ipaUserGroup
> into domain section of sssd.conf
>
> It should work even with disabled enumeration.
>
> LS
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150420/c1cd1862/attachment.htm>
More information about the Freeipa-users
mailing list