<div dir="ltr"><div>Sean, Thanks for the reply. I don't think that's my problem but I'm posting a redacted copy of the sssd.conf file for review below. [domain/<a href="http://domain.com">domain.com</a>] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = <a href="http://domain.com">domain.com</a> id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = <a href="http://docker-dev-01.domain.com">docker-dev-01.domain.com</a> chpass_provider = ipa ipa_server = _srv_, <a href="http://server.domain.com">server.domain.com</a> ldap_tls_cacert = /etc/ipa/ca.crt debug_level=7 [sssd] services = nss, sudo, pam, ssh debug_level=7 domains = <a href="http://domain.com">domain.com</a> [nss] homedir_substring = /home [pam] [sudo] debug_level=7 [autofs] [ssh] [pac] [ifp] </div>Jeff <div class="gmail_extra"> <div class="gmail_quote">On Wed, Aug 10, 2016 at 2:04 PM, Sean Hogan <<a href="mailto:schogan@us.ibm.com" target="_blank">schogan@us.ibm.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div> Not sure it is the same as 14.X but I had to add the sudo in the list of services to sssd.conf as it was not put in by default. I am by no means an expert on it but my own personal experience with 14.x Sean Hogan <img src="cid:1__=88BB0A98DFF086AF8f9e8a93df938690918c88B@" alt="Inactive hide details for Jeff Goddard ---08/10/2016 10:52:31 AM---I've got a freeipa domain and many centos 7.2 clients. I als" border="0" width="16" height="16">Jeff Goddard ---08/10/2016 10:52:31 AM---I've got a freeipa domain and many centos 7.2 clients. I also have a sudo rule that allows member of From: Jeff Goddard <<a href="mailto:jgoddard@emerlyn.com" target="_blank">jgoddard@emerlyn.com</a>> To: <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a> Date: 08/10/2016 10:52 AM Subject: [Freeipa-users] sudo rules question on ubuntu 16.0.1 Sent by: <a href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a> <hr style="color:#8091a5" align="left" noshade size="2" width="100%"> I've got a freeipa domain and many centos 7.2 clients. I also have a sudo rule that allows member of the developer group sudo rights on virtual servers in the "development" group. This works great on the centos servers. However, I recently set up 3 ubuntu boxes, and added them to the IPA domain and then to the "development" group. My sudo rules fail. I've enabled debugging and I see in the /var/log/sssd/sssd_sudo.log that the clients connects to the server, identifies group memberships, and finally prints "returning 1 rules for [<a href="mailto:user@domain.com" target="_blank">user@domain.com</a>]. We only have the single rule so I can't figure out why it's not working. Can someone point me in the correct direction? Thanks, Jeff <tt>-- Manage your subscription for the Freeipa-users mailing list: </tt><tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></tt><tt> Go to </tt><tt><a href="http://freeipa.org" target="_blank">http://freeipa.org</a></tt><tt> for more info on the project</tt> </div> </blockquote></div> <div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div> </div> </div></div> </div></div>