I noticed in the logs that kinit is being done from the other realm user is member of Domain B, Forest A, in the log immediately before returning "clients credentials has been revoked" the kinit is being done on Domain A, Forest A
could that be the problem, going to the wrong realm?
I deleted all the cache and user is able to access via ssh but still no elevation via sudo.
From: email@example.com To: firstname.lastname@example.org Subject: sssd able to login the user but failed on sudo Date: Thu, 20 Nov 2014 01:46:29 -0800
Hi Team, i have two forests both working fine in terms of authentication. I added a user to sudoers from one of the domains and he is getting access denied. the user is able to login with no problem, sudo is not working. in the secure log it shows "account is expired"
in the SSSD logs it shows error "attempting to kinit for realm xxxxxx" then "clients credentials has been revoked"
i checked the account and it is not expired nor locked. additionally: I have another account on the same forest which i used to join to the domain and it is working fine on both authentication and sudoers.
I also tried ldap_user_principal = no suchattribute and krb5_use_enterprise_principal = false but the problem remains.
what could be the reason behind being able to access and later getting clients credential revoked for sudoes?