[Freeipa-users] sudo rules question on ubuntu 16.0.1
Jeff Goddard
jgoddard at emerlyn.com
Thu Aug 25 18:01:24 UTC 2016
I'm still hoping someone can offer additional help. I see in the apt
term.log these errors when downloading the freeipa-client package. Could
this be the problem?
Creating SSSD system user & group...
adduser: Warning: The home directory `/var/lib/sss' does not belong to the
user you are currently creating.
Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing
complain mode
Warning failed to create cache: usr.sbin.sssd
Job for sssd.service failed because the control process exited with error
code. See "systemctl status sssd.service" and "journalctl -xe" for details.
sssd.service couldn't start.
Setting up sssd-ad-common (1.13.4-1ubuntu1) ...
Setting up sssd-krb5-common (1.13.4-1ubuntu1) ...
Setting up sssd-ad (1.13.4-1ubuntu1) ...
Setting up sssd-ipa (1.13.4-1ubuntu1) ...
Setting up sssd-krb5 (1.13.4-1ubuntu1) ...
Setting up sssd-ldap (1.13.4-1ubuntu1) ...
Setting up sssd-proxy (1.13.4-1ubuntu1) ...
Setting up sssd (1.13.4-1ubuntu1) ...
Setting up freeipa-client (4.3.1-0ubuntu1) ...
Processing triggers for libc-bin (2.23-0ubuntu3) ...
Processing triggers for systemd (229-4ubuntu7) ...
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for dbus (1.10.6-1ubuntu3) ...
Log ended: 2016-08-25 13:49:53
On Sun, Aug 14, 2016 at 2:16 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:
> Hi Pavel, can you help us with this thread?
>
> > On 12 Aug 2016, at 21:57, Jeff Goddard <jgoddard at emerlyn.com> wrote:
> >
> >
> >
> > On Fri, Aug 12, 2016 at 3:53 PM, Justin Stephenson <jstephen at redhat.com>
> wrote:
> > In the CentOS/RHEL 7 version of sssd, a NIS netgroup is created
> automatically in the IPA compat tree under 'cn=ng,cn=compat,$suffix'
> because sudo has no understanding of hostgroups.
> >
> > You should be able to query this on a client with
> > # getent netgroup office
> >
> > This should return nisNetgroupTriple for each host in the hostgroup
> > (ipa-client-1.example.com,-,example.com) (ipa-client-2.example.com
> ,-,example.com)
> >
> > I would check this in your environment between working and non-working
> systems.
> > I believe in later versions of sssd they added IPA sudo schema support
> to eliminate the need for the compat tree so this could be related to the
> issue if newer ubuntu clients are not working but CentOS is working.
> >
> > What version of sssd are you running?
> > Kind regards,
> >
> > Justin Stephenson
> > On 08/12/2016 02:35 PM, Jeff Goddard wrote:
> >> I made the edit as suggested - removing nis and just leaving sss -
> restarted sssd and then re-tried. I also tried with files sss. Still
> getting the same result.
> >>
> >> Thanks,
> >>
> >> Jeff
> > The query returns the expect results:
> >
> > getent netgroup office
> > office (docker-dev-01.internal.emerlyn.com,-,internal.
> emerlyn.com) (docker-dev-02.internal.emerlyn.com,-,internal.emerlyn.com) (
> docker-dev-03.internal.emerlyn.com,-,internal.emerlyn.com) [more hosts]
> >
> > sssd version is 1.13.4
> >
> > Jeff
> >
> >
> >
>
>
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160825/9713c196/attachment.htm>
More information about the Freeipa-users
mailing list