On Wed, Apr 08, 2015 at 10:17:59AM +0200, Chamambo Martin wrote: > I have this log after doing a debug_level=6 in the sudo section and have > attached a txt file for the ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb >
> (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admin)(sud > oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust > admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428480892))) > ] > (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=admin)(sudoUser=#14682000 > 00)(sudoUser=%admins)(sudoUser=%trust > admins)(sudoUser=%admins)(sudoUser=+*)))] The above are the cache searches sssd ran. This is how the sudo rule looks in your cache: # record 29 dn: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sysdb cn: file-commands dataExpireTimestamp: 1428486013 entryUSN: 28714 name: file-commands objectClass: sudoRule originalDN: cn=file-commands,ou=sudoers,dc=ai,dc=co,dc=zw sudoCommand: /usr/bin/vim sudoCommand: /usr/bin/less sudoHost: +mailservers sudoRunAsGroup: ALL sudoRunAsUser: admin sudoRunAsUser: chamambom sudoRunAsUser: kamoyob sudoRunAsUser: kumalop sudoRunAsUser: machangeteb sudoRunAsUser: masaitit sudoRunAsUser: masvivic sudoRunAsUser: matangiraa sudoRunAsUser: nyahumap sudoRunAsUser: pedzisail sudoRunAsUser: tayengwaj sudoUser: ALL distinguishedName: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sy sdb > (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 1 rules for [ad...@ai.co.zw] And here we see that the sudo rule was returned from SSSD to sudo. But then in sudo, it didn't match for some reason. I expect it's because of the netgroup, can you check if nisdomainname is really set correctly and getent netgroup mailservers reports the FQDN of your client? Also, you can enable debugging in sudo itself. See man sudo.conf and search for the option "Debug". That will show you how exactly sudo matches the rules. > (Wed Apr 8 10:15:02 2015) [sssd[sudo]] [client_recv] (0x0200): Client > disconnected! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project