Hi Rob, unfortunally not. I am honestly out of options here. I must be missing something trivial or it is a configuration issue.
I am clearing the cache of the user on the idm server as the client. Even removed sssd cache, rebooted both client and idm controllers. Sudo permission is simply not granted. ----- [root@idm01 ~]# ipa hbactest --user=ansible --host=debclient1.linux.redacted.services --service=sshd -------------------- Access granted: True -------------------- Matched rules: allow_ansible_ssh2idm Not matched rules: allow_systemd-user Not matched rules: test_aduser [root@idm01 ~]# ipa hbactest --user=ansible --host=debclient1.linux.redacted.services --service=sudo -------------------- Access granted: True -------------------- Matched rules: allow_ansible_ssh2idm Not matched rules: allow_systemd-user Not matched rules: test_aduser [root@idm01 ~]# ipa hbactest --user=ansible --host=debclient1.linux.redacted.services --service=sudo-i -------------------- Access granted: True -------------------- Matched rules: allow_ansible_ssh2idm Not matched rules: allow_systemd-user Not matched rules: test_aduser [root@idm01 ~]# sss_cache -u ansible@linux.redacted.services && systemctl restart sssd [root@idm01 ~]# getent passwd ansible@linux.redacted.services ansible:*:996000008:996000008:(TESTING-111111):/home/ansible:/bin/bash [root@idm01 ~]# ipa hbacrule-show allow_ansible_ssh2idm Rule name: allow_ansible_ssh2idm Host category: all Service category: all Enabled: True Users: ansible root@debclient1:/var/log/sssd# sss_cache -u ansible@linux.redacted.services && systemctl restart sssd root@debclient1:/var/log/sssd# getent passwd ansible@linux.redacted.services ansible:*:996000008:996000008:(TESTING-111111):/home/ansible:/bin/bash ---- On the client: ---- ansible@debclient1:~$ sudo -i [sudo] password for ansible: ansible is not allowed to run sudo on debclient1. ---- Kind regards.. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
