IdM sudo not working
I am trying to get sudo working in IdM.
RHEL 8.5
ipa-server: 4.9.8-7.module+el8
sudo: 1.8.29-8.el8
libsss_sudo: 2.6.2-4.el8
/etc/nsswitch.conf:
sudoers: files sss
/etc/sssd/sssd.conf (domain and host names obfuscated):
[domain/my.domain]
cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = MY.DOMAIN
id_provider = ipa
ipa_domain = my.domain
access_provider = ipa
auth_provider = ipa
chpass_provider = ipa
ipa_hostname = myhost.my.domain
ipa_server = myhost.my.domain
sudo_provider = ldap
ldap_uri = ldap://myhost.my.domain
ldap_sudo_search_base = ou=sudoers,dc=my,dc=domain
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myhost.my.domain
ldap_sasl_realm = MY.DOMAIN
krb5_server = myhost.my.domain
[sssd]
domains = my.domain
certificate_verification = ocsp_dgst=sha1
services = nss, pam, ifp, ssh, sudo
[sudo]
[ifp]
allowed_uids = ipaapi, root
"id user":
uid=300000(user) gud=300000(user) groups=300000(user)
"sudo -U user -l":
User user may run the following commands on myhost:
(user : ALL) NOPASSWD: ls /root
"su - user" followed by "id":
uid=300000(user) gid=300000(user) groups=300000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
To me, all the configuration looks correct.
But, when I do "sudo ls /root" as user:
1) it asks for a password, which for that command it should not, and
2) I get "Sorry, user user is not allowed to execute /usr/bin/ls /root as root on myhost.my.domain"
Can someone tell me what I have configured incorrectly?
Robert.