I had two IPA servers setup - my master and the replica. When performing the HBAC test (which includes a sudo rules test as a component of the HBAC test) the test would say access granted from the master. I had not tried to run the same test from the replica until this weekend when I did so by accident. The test told me access denied. For a moment I was puzzled until I realized I was running the test from the replica. Then I tried the same test again from the master and the test passed. This made me realize something was wrong and needed to be investigated further. I decided to install the ipa healthcheck tool on both servers and see what it told me. I read the documentation and ran all available healthchecks. Sure enough, one of the healthchecks failed. It didn't have just one failure though, there were many failures for the same test. I learned that even though the replica install logs showed installation success I was still missing a package that needed to be installed separately. Once I installed the correct ipa package and ran the healthcheck again all tests passed. Now, when running the HBAC test in the GUI, both servers showed access granted. A last test from the client still didn't work. I cleared the sssd cache and tried again. Now sudo worked! It certainly underscored how important it is to have a healthy system status. Also, the problem appeared to be one thing in my mind but turned out being totally different when actually resolved. Keep your mind open to all possibilities.
I'm glad to hear that ipa-healthcheck helped. What missing package did you install which ultimately got things working?
rob
Jeremy Tourville via FreeIPA-users wrote:
I had two IPA servers setup - my master and the replica. When performing the HBAC test (which includes a sudo rules test as a component of the HBAC test) the test would say access granted from the master. I had not tried to run the same test from the replica until this weekend when I did so by accident. The test told me access denied. For a moment I was puzzled until I realized I was running the test from the replica. Then I tried the same test again from the master and the test passed. This made me realize something was wrong and needed to be investigated further. I decided to install the ipa healthcheck tool on both servers and see what it told me. I read the documentation and ran all available healthchecks. Sure enough, one of the healthchecks failed. It didn't have just one failure though, there were many failures for the same test. I learned that even though the replica install logs showed installation success I was still missing a package that needed to be installed separately. Once I installed the correct ipa package and ran the healthcheck again all tests passed. Now, when running the HBAC test in the GUI, both servers showed access granted. A last test from the client still didn't work. I cleared the sssd cache and tried again. Now sudo worked! It certainly underscored how important it is to have a healthy system status. Also, the problem appeared to be one thing in my mind but turned out being totally different when actually resolved. Keep your mind open to all possibilities. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
If my memory serves me correctly, I think it was ipa-server-trust-ad. Maybe I had wrongfully assumed that it got installed as part of the replica setup process? After all, the master already had that running.
Then again, I could have missed something in the docs or had a different interpretation at the time I read it. Sometimes it's just good to step away from a problem and look at it later. New ideas will come to mind that you didn't think of before.
________________________________ From: Rob Crittenden rcritten@redhat.com Sent: Tuesday, October 12, 2021 1:30 PM To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Jeremy Tourville jeremy_tourville@hotmail.com Subject: Re: [Freeipa-users] [SOLVED] New IPA server and unable to sudo from client
I'm glad to hear that ipa-healthcheck helped. What missing package did you install which ultimately got things working?
rob
Jeremy Tourville via FreeIPA-users wrote:
I had two IPA servers setup - my master and the replica. When performing the HBAC test (which includes a sudo rules test as a component of the HBAC test) the test would say access granted from the master. I had not tried to run the same test from the replica until this weekend when I did so by accident. The test told me access denied. For a moment I was puzzled until I realized I was running the test from the replica. Then I tried the same test again from the master and the test passed. This made me realize something was wrong and needed to be investigated further. I decided to install the ipa healthcheck tool on both servers and see what it told me. I read the documentation and ran all available healthchecks. Sure enough, one of the healthchecks failed. It didn't have just one failure though, there were many failures for the same test. I learned that even though the replica install logs showed installation success I was still missing a package that needed to be installed separately. Once I installed the correct ipa package and ran the healthcheck again all tests passed. Now, when running the HBAC test in the GUI, both servers showed access granted. A last test from the client still didn't work. I cleared the sssd cache and tried again. Now sudo worked! It certainly underscored how important it is to have a healthy system status. Also, the problem appeared to be one thing in my mind but turned out being totally different when actually resolved. Keep your mind open to all possibilities. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
freeipa-users@lists.fedorahosted.org