[Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Tomas Simecek simecek.tomas at gmail.com
Thu Jul 14 11:52:05 UTC 2016 

Hi Lukas,
sorry to say, but nothing helps.

I have just updated IPA server, so that now it is:
[root at svlxxipap ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)

with:
[root at svlxxipap ~]# rpm -qa|grep ipa
ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.17.x86_64
libipa_hbac-1.13.0-40.el7_2.9.x86_64
ipa-python-4.2.0-15.0.1.el7.centos.17.x86_64
ipa-server-dns-4.2.0-15.0.1.el7.centos.17.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64
sssd-ipa-1.13.0-40.el7_2.9.x86_64
ipa-admintools-4.2.0-15.0.1.el7.centos.17.x86_64
python-libipa_hbac-1.13.0-40.el7_2.9.x86_64
ipa-client-4.2.0-15.0.1.el7.centos.17.x86_64

I have also changed sudoers to sudo in sssd.conf as you suggested and
restarted sssd.
No difference, still:
[simecek.tomas at sd-stc.cz@zp-cml-test ~]$ sudo service sshd restart
[sudo] password for simecek.tomas at sd-stc.cz:
simecek.tomas at sd-stc.cz is not in the sudoers file.  This incident will be
reported.

I guess I will pilot some more IPA clients to make sure it works reliably
and if yes, I guess we will be able to live with the fact that older
Linuxes doe not offer sudo to AD clients.

Or do you think there is something more to try?

Thanks

T.

2016-07-14 13:32 GMT+02:00 Lukas Slebodnik <lslebodn at redhat.com>:

> On (14/07/16 13:06), Tomas Simecek wrote:
> >Hi Lukas,
> >I did as you said.
> >Logs are attached to this mail.
> >
> Thank you very much for provided data.
>
> The main problem is that full refresh of sudo rules did not store any
> rules.
>
> It might be caused by following errors which might be caused by issues
> with old buggy IPA server on CentOS 7.0
>
> [ipa_s2n_save_objects] (0x2000): Updating memberships for
> borek.pavel at sd-stc.cz
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> [sysdb_update_members_ex] (0x0020): Could not add member [
> borek.pavel at sd-stc.cz] to group [name=account at sd-stc.cz,cn=groups,cn=
> sd-stc.cz,cn=sysdb]. Skipping.
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> [sysdb_update_members_ex] (0x0020): Could not add member [
> borek.pavel at sd-stc.cz] to group [name=borek.pavel at sd-stc.cz,cn=groups,cn=
> sd-stc.cz,cn=sysdb]. Skipping.
>
> Attached is a reduced log.
>
> You might try new feature in sssd-1.13 on el6 which will
> avoid using compat tree for sudo.
>
> Try to change ldap_sudo_search_base from
> ou=sudoers,dc=linuxdomain,dc=cz -> cn=sudo,dc=linuxdomain,dc=cz
>
> It does not mean that it will solve issue with extop plugin
> on IPA server (ipa_s2n_save_objects)
>
> If it does not help then please provide the same data as in previous mail.
> BTW I strogly suspect issues on IPA server on CentOS 7.0.
> It might work on CentOS 7.0 client only by chance.
>
> LS
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160714/ded9f2f3/attachment.htm>

More information about the Freeipa-users mailing list