Turn up the dial on debug logging on SSSD to find out more.

John

On 24 May 2019, at 13:00, Rob Verduijn via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

Hello,

I'm trying to figure out why an ad-domain user cannot use sudo.

When I test with

ipa hbactest --user=ansible --host ipa01.linux.example.com --service sudo-i
It says access granted: True

however if I issue the command 'sudo -l -U ansible' on the ipa01 host it says:User ansible@windows.example.com is not allowed to run sudo on ipa01

It works for an ipa user using the same sudo rule.
id ansible works as well on the ipa01 host
uid=1958801104(ansible@windows.example.com) gid=1958801104(ansible@windows.example.com) groups=1958801104(ansible@windows.example.com),1958800512(domain admins@windows.example.com),1958800513(domain users@windows.example.com)

the user ansible can login to the ipa01 host but cannot issue sudo -i.

What am I missing ?

Rob Verduijn
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org