I had two IPA servers setup - my master and the replica. When performing the HBAC test
(which includes a sudo rules test as a component of the HBAC test) the test would say
access granted from the master. I had not tried to run the same test from the replica
until this weekend when I did so by accident. The test told me access denied. For a
moment I was puzzled until I realized I was running the test from the replica. Then I
tried the same test again from the master and the test passed. This made me realize
something was wrong and needed to be investigated further. I decided to install the ipa
healthcheck tool on both servers and see what it told me. I read the documentation and
ran all available healthchecks. Sure enough, one of the healthchecks failed. It
didn't have just one failure though, there were many failures for the same test. I
learned that even though the replica install logs showed installation success I was still
missing a package that needed to be installed
separately. Once I installed the correct ipa package and ran the healthcheck again all
tests passed. Now, when running the HBAC test in the GUI, both servers showed access
granted. A last test from the client still didn't work. I cleared the sssd cache and
tried again. Now sudo worked! It certainly underscored how important it is to have a
healthy system status. Also, the problem appeared to be one thing in my mind but turned
out being totally different when actually resolved. Keep your mind open to all
possibilities.
Show replies by date