<div dir="ltr">Thanks Lukas,<div><br></div><div>I'm very glad to have concrete debugging suggestions. I'll investigate as you suggest and report back.</div><div><br></div><div>Thanks again,</div><div><br></div><div>Andrew</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 17, 2015 at 2:28 PM, Lukas Slebodnik <span dir="ltr"><<a href="mailto:lslebodn@redhat.com" target="_blank">lslebodn@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On (17/04/15 11:32), Andrew Sacamano wrote:<br> >Hi everyone,<br> ><br> ><br> >I've spent a couple of days digging around the web, watching logs, and<br> >poking things, and I'm stuck getting sudo working with IPA on a new box<br> >I've just set up. I have had it working in the past on a test box, but<br> >something about this box is blocking me, and I can't for the life of me<br> >figure out what.<br> ><br> ><br> >The basic symptom is that I can log into the Ubuntu box as an IPA user, but<br> >sudo is always denied:<br> ><br> ><br> >[root@security-core-1 log]# ssh dru@jenkins<br> ><br> >dru@jenkins's password:<br> ><br> >...<br> ><br> >Could not chdir to home directory /home/dru: No such file or directory<br> ><br> >dru@jenkins:/$ sudo -l<br> ><br> >[sudo] password for dru:<br> ><br> >Sorry, user dru may not run sudo on jenkins.<br> ><br> ><br> >I've appended version output, config files, sample logs, and ipa config -<br> >which I think is all of the relevant material, but I'll gladly share more<br> >if it's needed.<br> ><br> ><br> >Thanks so much in advance for any debugging advice, hints, or help!<br> ><br> ><br> <br> </span>I looked to the configuration files and they look good.<br> <br> I have few hints which might help you with troubleshooting<br> * please ensure you have installed package sudo and not sudo-ldap.<br> The second one is not build with sssd support.<br> * please read about sudo caching in sssd<br> man sssd-sudo -> THE SUDO RULE CACHING MECHANISM<br> * please test simple sudo rules first.<br> (all hosts, one user instead of groups, ...)<br> * check whether sudo rules are cached by sssd (use ldb-tools)<br> <br> If previous hints does not help then you need to enable<br> debugging in sudo and analyse log file.<br> @see slide 18 in presentation[1]<br> <br> LS<br> <br> [1] <a href="http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf" target="_blank">http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf</a><br> </blockquote></div><br></div>