On Thu, Nov 20, 2014 at 01:46:29AM -0800, Karim wrote:
i have two forests both working fine in terms of authentication.
I added a user to sudoers from one of the domains and he is getting access denied.
the user is able to login with no problem, sudo is not working.
in the secure log it shows "account is expired"
in the SSSD logs it shows error
"attempting to kinit for realm xxxxxx" then
"clients credentials has been revoked"
i checked the account and it is not expired nor locked.
additionally: I have another account on the same forest which i used to join to the
domain and it is working fine on both authentication and sudoers.
I also tried ldap_user_principal = no suchattribute and krb5_use_enterprise_principal =
but the problem remains.
what could be the reason behind being able to access and later getting clients credential
revoked for sudoes?
I suspect sssd just logged you in offline.
Can you run kinit from the command line?