If my memory serves me correctly, I think it was ipa-server-trust-ad. Maybe I had wrongfully assumed that it got installed as part of the replica setup process? After all, the master already had that running.
Then again, I could have missed something in the docs or had a different interpretation at the time I read it. Sometimes it's just good to step away from a problem and look at it later. New ideas will come to mind that you didn't think of before. ________________________________ From: Rob Crittenden <[email protected]> Sent: Tuesday, October 12, 2021 1:30 PM To: FreeIPA users list <[email protected]> Cc: Jeremy Tourville <[email protected]> Subject: Re: [Freeipa-users] [SOLVED] New IPA server and unable to sudo from client I'm glad to hear that ipa-healthcheck helped. What missing package did you install which ultimately got things working? rob Jeremy Tourville via FreeIPA-users wrote: > I had two IPA servers setup - my master and the replica. When performing the > HBAC test (which includes a sudo rules test as a component of the HBAC test) > the test would say access granted from the master. I had not tried to run > the same test from the replica until this weekend when I did so by accident. > The test told me access denied. For a moment I was puzzled until I realized > I was running the test from the replica. Then I tried the same test again > from the master and the test passed. This made me realize something was > wrong and needed to be investigated further. I decided to install the ipa > healthcheck tool on both servers and see what it told me. I read the > documentation and ran all available healthchecks. Sure enough, one of the > healthchecks failed. It didn't have just one failure though, there were many > failures for the same test. I learned that even though the replica install > logs showed installation success I was still missing a package that needed to > be installed > separately. Once I installed the correct ipa package and ran the > healthcheck again all tests passed. Now, when running the HBAC test in the > GUI, both servers showed access granted. A last test from the client still > didn't work. I cleared the sssd cache and tried again. Now sudo worked! It > certainly underscored how important it is to have a healthy system status. > Also, the problem appeared to be one thing in my mind but turned out being > totally different when actually resolved. Keep your mind open to all > possibilities. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
