[Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?
Lukas Slebodnik
lslebodn at redhat.com
Thu Jul 14 11:32:45 UTC 2016
On (14/07/16 13:06), Tomas Simecek wrote:
>Hi Lukas,
>I did as you said.
>Logs are attached to this mail.
>
Thank you very much for provided data.
The main problem is that full refresh of sudo rules did not store any rules.
It might be caused by following errors which might be caused by issues
with old buggy IPA server on CentOS 7.0
[ipa_s2n_save_objects] (0x2000): Updating memberships for borek.pavel at sd-stc.cz
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
[sysdb_update_members_ex] (0x0020): Could not add member [borek.pavel at sd-stc.cz] to group [name=account at sd-stc.cz,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
[sysdb_update_members_ex] (0x0020): Could not add member [borek.pavel at sd-stc.cz] to group [name=borek.pavel at sd-stc.cz,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.
Attached is a reduced log.
You might try new feature in sssd-1.13 on el6 which will
avoid using compat tree for sudo.
Try to change ldap_sudo_search_base from
ou=sudoers,dc=linuxdomain,dc=cz -> cn=sudo,dc=linuxdomain,dc=cz
It does not mean that it will solve issue with extop plugin
on IPA server (ipa_s2n_save_objects)
If it does not help then please provide the same data as in previous mail.
BTW I strogly suspect issues on IPA server on CentOS 7.0.
It might work on CentOS 7.0 client only by chance.
LS
More information about the Freeipa-users
mailing list