ok. Changed debug_level to 7. I already it in the domain section (first line).
Not sure if this makes a difference [root@map1 pam.d]# cat system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_tally2.so deny=5 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so from sssd_sudo.log (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'tuser2' matched without domain, user is tuser2 (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'tuser2' matched without domain, user is tuser2 (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [tuser2] from [<ALL>] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [tus...@server.domain.com] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [tus...@server.domain.com] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [tuser2] from [server.domain.com] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408969900)))] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [<default options>@server.domain.com] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'tuser2' matched without domain, user is tuser2 (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'tuser2' matched without domain, user is tuser2 (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [tuser2] from [<ALL>] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [tus...@server.domain.com] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [tus...@server.domain.com] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [tuser2] from [server.domain.com] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408969900)))] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*)))] (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [tus...@server.domain.com] (Mon Aug 25 12:31:42 2014) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! from sssd_server.log (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [be_get_subdomains] (0x0400): Got get subdomains [not forced][] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [be_get_subdomains] (0x0400): Cannot proceed, provider is offline. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [be_get_subdomains] (0x1000): Request processed. Returned 1,11,Provider is offline (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=1079600005] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast reply - offline (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'neutral' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [resolve_srv_send] (0x0400): SRV resolution of service 'IPA'. Will use DNS discovery domain 'server.domain.com' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [resolve_srv_cont] (0x0100): Searching for servers via SRV query '_ldap._tcp.server.domain.com' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.server.domain.com' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'not working' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [be_resolve_server_process] (0x1000): Trying with the next one! (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [get_server_status] (0x1000): Status of server 'dir1.server.domain.com' is 'name resolved' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [get_port_status] (0x1000): Port status of port 0 for server 'dir1.server.domain.com' is 'neutral' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [get_server_status] (0x1000): Status of server 'dir1.server.domain.com' is 'name resolved' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [be_resolve_server_process] (0x0200): Found address for server dir1.server.domain.com: [10.10.26.148] TTL 7200 (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://dir1.server.domain.com' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://dir1.server.domain.com:389/??base] with fd [25]. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [domainControllerFunctionality] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/map1.server.domain.com, server.domain.com, 86400) (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service IPA (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [get_server_status] (0x1000): Status of server 'dir1.server.domain.com' is 'name resolved' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [get_server_status] (0x1000): Status of server 'dir1.server.domain.com' is 'name resolved' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [be_resolve_server_process] (0x0200): Found address for server dir1.server.domain.com: [10.10.26.148] TTL 7200 (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [create_tgt_req_send_buffer] (0x1000): buffer size: 72 (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_server.domain.com], expired on [1409056143] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1408970643 (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/map1.server.domain.com (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [child_sig_handler] (0x1000): Waiting for child [17983]. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [child_sig_handler] (0x0100): child [17983] finished successfully. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'dir1.server.domain.com' as 'working' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [set_server_common_status] (0x0100): Marking server 'dir1.server.domain.com' as 'working' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=server,dc=domain,dc=com] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=1079600005)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=server,dc=domain,dc=com]. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [be_run_online_cb] (0x0080): Going online. Running callbacks. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_save_group] (0x0400): Processing group tuser2 (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_save_group] (0x1000): Original USN value is not available for [tuser2]. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_process_ghost_members] (0x0400): The group has 0 members (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_process_ghost_members] (0x0400): Group has 0 members (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_save_group] (0x0400): Storing info for group tuser2 (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_save_grpmem] (0x1000): No members for group [tuser2] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_save_grpmem] (0x0400): Storing members for group tuser2 (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: 1408969743 (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo rules (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [get_server_status] (0x1000): Status of server 'dir1.server.domain.com' is 'working' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [get_port_status] (0x1000): Port status of port 389 for server 'dir1.server.domain.com' is 'not working' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [get_port_status] (0x0100): Reseting the status of port 389 for server 'dir1.server.domain.com' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [get_server_status] (0x1000): Status of server 'dir1.server.domain.com' is 'working' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [be_resolve_server_process] (0x0200): Found address for server dir1.server.domain.com: [10.10.26.148] TTL 7200 (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldap://dir1.server.domain.com' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://dir1.server.domain.com:389/??base] with fd [26]. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [domainControllerFunctionality] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/dir1.server.domain.com, server.domain.com, 86400) (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service KERBEROS (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KERBEROS' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [get_server_status] (0x1000): Status of server 'dir1.server.domain.com' is 'working' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [get_server_status] (0x1000): Status of server 'dir1.server.domain.com' is 'working' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [be_resolve_server_process] (0x0200): Found address for server dir1.server.domain.com: [10.10.26.148] TTL 7200 (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [create_tgt_req_send_buffer] (0x1000): buffer size: 72 (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Error writing to key table], expired on [0] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [5] result [4] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'dir1.server.domain.com' as 'not working' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [get_server_status] (0x1000): Status of server 'dir1.server.domain.com' is 'working' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [get_port_status] (0x1000): Port status of port 389 for server 'dir1.server.domain.com' is 'not working' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP' (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [child_sig_handler] (0x1000): Waiting for child [17984]. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [child_sig_handler] (0x0100): child [17984] finished successfully. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5 (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_sudo_periodical_first_refresh_done] (0x0040): Periodical full refresh of sudo rules failed [dp_error: 1] ([11]: Resource temporarily unavailable) (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_sudo_periodical_first_refresh_done] (0x0400): Data provider is offline. Scheduling another full refresh in 6 minutes. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: 1408970103 (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: 1408969743 (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo rules (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_sudo_periodical_first_refresh_done] (0x0040): Periodical full refresh of sudo rules failed [dp_error: 1] ([11]: Resource temporarily unavailable) (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_sudo_periodical_first_refresh_done] (0x0400): Data provider is offline. Scheduling another full refresh in 8 minutes. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: 1408970223 (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=server,dc=domain,dc=com]. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=server,dc=domain,dc=com]. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSecondaryBaseRID] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sysdb_update_ranges] (0x0400): Adding range [server.domain.com_id_range]. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sysdb_range_create] (0x0040): Invalid range, expected that either the secondary base rid or the SID of the trusted domain is set, but not both or none of them. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sysdb_range_create] (0x0400): Error: 22 (Invalid argument) (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [sysdb_update_ranges] (0x0040): sysdb_range_create failed. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [ipa_subdomains_handler_ranges_done] (0x0040): sysdb_update_ranges failed. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [delayed_online_authentication_callback] (0x0200): Backend is online, starting delayed online authentication. (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.server.domain.com], [2][No such file or directory] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kdcinfo.server.domain.com], [2][No such file or directory] (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.server.domain.com], [2][No such file or directory] (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=tuser2] (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 1,11,Offline (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): domain: server.domain.com (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): user: tuser2 (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): service: sudo (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): ruser: tuser2 (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): rhost: (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): authtok type: 1 (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): authtok size: 23 (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): priv: 0 (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): cli_pid: 17982 (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [cc_residual_is_used] (0x1000): User [1079600005] is still active, reusing ccache [/tmp/krb5cc_1079600005_Hfzpn4]. (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [check_for_valid_tgt] (0x1000): TGT end time [1409049392]. (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [check_for_valid_tgt] (0x0080): TGT is valid. (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [get_server_status] (0x1000): Status of server 'dir1.server.domain.com' is 'working' (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [get_port_status] (0x1000): Port status of port 0 for server 'dir1.server.domain.com' is 'working' (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [get_server_status] (0x1000): Status of server 'dir1.server.domain.com' is 'working' (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [be_resolve_server_process] (0x0200): Found address for server dir1.server.domain.com: [10.10.26.148] TTL 7200 (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://dir1.server.domain.com' (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [krb5_find_ccache_step] (0x0080): Saved ccache FILE:/tmp/krb5cc_1079600005_Hfzpn4 if of different type than ccache in configuration file, reusing the old ccache (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [sysdb_cache_auth] (0x0100): Hashes do match! (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (1, 9, <NULL>) [Provider is Offline (Authentication service cannot retrieve authentication info)] (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [be_pam_handler_callback] (0x0100): Sending result [9][server.domain.com] (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [be_pam_handler_callback] (0x0100): Sent result [9][server.domain.com] (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): domain: server.domain.com (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): user: tuser2 (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): service: sudo (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): ruser: tuser2 (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): rhost: (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): authtok size: 0 (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): priv: 0 (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [pam_print_data] (0x0100): cli_pid: 17982 (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [sdap_access_send] (0x0400): Performing access check for user [tuser2] (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [tuser2] (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [hbac_attrs_to_rule] (0x1000): Processing rule [allow_all] (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [allow_all] (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [allow_all] (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [allow_all] (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [allow_all] (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [hbac_eval_user_element] (0x1000): [2] groups for [tuser2] (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [hbac_eval_user_element] (0x1000): Added group [ipausers] for user [tuser2] (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][server.domain.com] (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][server.domain.com] On Mon, Aug 25, 2014 at 8:11 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Mon, Aug 25, 2014 at 06:51:27AM -0400, Megan . wrote: >> Good Morning, >> >> I'm very new to freeIPA. I'm running centOS 6.5 with freeIPA v3 >> >> I have the freeIPA server up but i'm working on getting SUDO >> configured. Currently i'm having problems getting sudo commands to >> work on the client. I'm a bit unclear if i have everything configured >> correctly. The only thing that I can figure out might be an issue, is >> when i try the sudo command i see a filter search with >> objectclass=sudoRule but when i check the ldap server it has > > These two searches are unrelated. The sudoRule objectlass is what we use > internally in sssd cache. On the LDAP side, sudoRole is used. > > In general, only the [domain] process works with LDAP data, all others > (nss, pam, sudo, ...) work with cached data that might look totally > different. > >> objectclass=sudoRole, so there are no results. >> >> Any ideas? Thank you in advance for any advice. >> > > Can you put debug_level into the domain section as well and increase the > debug_level of both to 7? > >> >> >> [tuser2@map1 ~]$ sudo /sbin/iptables -L >> Enter RSA PIN+token: >> tuser2 is not allowed to run sudo on map1. This incident will be reported. >> >> >> CLIENT: >> >> yum installed libsss_sudo >> >> I added "nisdomainname dir1.server.example.com" to /etc/rc.d/rc.local >> >> **still not sure what this is for ** >> Created a sudo user on ldap server >> ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D "cn=Directory >> Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com >> ** > > The config file looks good to me. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project