Hmm, though it could be my test setup, which seems to fall off the
domain commonly (perhaps after an sss_cache -E) with errors like:
Oct 4 12:21:57 how-centos6-tpl [sssd[ldap_child[15261]]]: Failed to
initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
Preauthentication failed. Unable to create GSSAPI-encrypted LDAP
connection.
John
On 4 October 2016 at 12:21, John Beranek <john(a)redux.org.uk> wrote:
One further question about SSSD and sudo...is it possible to force a
cache refresh?
There's no mention of sudo in sss_cache(8), and doing "sss_cache -E"
doesn't appear to refresh the rules.
I've made a change to a sudo rule in AD, but it doesn't seem to be
very quick to propagate down to the SSSD client...
John
On 4 October 2016 at 10:52, John Beranek <john(a)redux.org.uk> wrote:
> On 4 October 2016 at 10:37, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
>>
>> On Tue, Oct 04, 2016 at 10:32:51AM +0100, John Beranek wrote:
>> > Hi,
>> >
>> > I've been following Jakub's useful blog post[1], attempting to get
sudo
>> > rules into our Active Directory, and usable by sudo via SSSD.
> [snip]
>> >
>> >
>> > Thoughts?
>>
>> Yes, sorry about this, it's a known bug:
>>
https://fedorahosted.org/sssd/ticket/3203
>> and we are working on a fix..
>
> OK, thanks. Just to confirm, groups specified in the sudo rule are
> also being matched with case sensitivity, not just users.
>
> John
>
> --
> John Beranek To generalise is to be an idiot.
>
http://redux.org.uk/ -- William Blake
--
John Beranek To generalise is to be an idiot.
http://redux.org.uk/ -- William Blake
--
John Beranek To generalise is to be an idiot.