<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 04/19/2015 02:51 PM, Andrew Sacamano
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAE0pg8rAoXV531oh+xGHV09z1pSUZ=chE_P2RPQKLrcMoWhOQQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div><span style="font-size:12.8000001907349px">Thanks again
            Lukas,</span></div>
        <div><span style="font-size:12.8000001907349px"><br>
          </span></div>
        <div><span style="font-size:12.8000001907349px">These turned out
            to be very helpful debugging suggestions, and were the
            critical part of getting the problem solved - </span><span
            style="font-size:12.8000001907349px">the pointer to
            ldb-tools was extremely helpful in identifying where the
            issue was happening!</span></div>
        <div><span style="font-size:12.8000001907349px"><br>
          </span></div>
        <div><span style="font-size:12.8000001907349px">With them, I was
            able to see the right sudo rules were being cached, and that
            the change from sudo working to sudo not working happened
            not because of the host, but because of the user, and in
            particular, the user being a listed explicitly, or only as
            part of a group.  The user's groups were being listed in the
            user's entry in the cache, but not when running the "id"
            command.  Some quick googling, and I discovered that </span><span
            style="font-size:12.8000001907349px">in Ubuntu 14.04, the
            sssd option "enumerate" defaults to false, which meant that
            the group memberships were not taking effect, which meant
            that sudo rules based on membership in a group weren't
            working. Setting enumerate to true got everything working.</span></div>
      </div>
    </blockquote>
    <br>
    Enumerate is generally discouraged.<br>
    The fact that enumeration helped means that something was not
    correct in the cache.<br>
    It seems it just masked the issue not solved it.<br>
    <br>
    <blockquote
cite="mid:CAE0pg8rAoXV531oh+xGHV09z1pSUZ=chE_P2RPQKLrcMoWhOQQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div><br>
        </div>
        <div><span style="font-size:12.8000001907349px">Many thanks
            again!</span></div>
        <div><span style="font-size:12.8000001907349px"><br>
          </span></div>
        <div><span style="font-size:12.8000001907349px">-Andrew</span></div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    <br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
  </body>
</html>