On Thu, Jan 05, 2017 at 01:36:56PM +0000, James Harrison wrote: > Hi all,I having problems with a FreeIPA client running Ububtu Xenial. > I can authenticate OK, I get a kerberos ticket, but cannot run sudo. > I get 1 rule returned, which I expect. > Many thanks,James Harrison
I would check if (with the help of ldbsearch against the sssd cache or with the help of the sudo logs) if the rule is really the one you are expecting or if it's just the cn=defaults rule. If it's just cn=defaults, then I would check if the rules are downloaded (sssd always downloads all rules applicable for the host IIRC) or if they just don't match the filter that you can see in the debug message from sudosrv_get_sudorules_query_cache. Keep in mind that this is a filter that applies for the sssd cache, not LDAP. And lastly, if the rules are downloaded as expected, the sudo rules would tell you why the rule didn't match. All in all, this document: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO describes how to troubleshoot the sudo integration. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project