-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Megan,
I had the same problem with CENTOS 6.5 and free-ipa. I did a ton of searching, and IIRC the conclusion was a bug in that version of sssd, I don't remember all of the details, however I do remember the work around. Create a system account (in this case I called it sudo). Create or edit the following file. /etc/sudo-ldap.conf ## BINDDN DN ## The BINDDN parameter specifies the identity, in the form of a Dis‐ ## tinguished Name (DN), to use when performing LDAP operations. If ## not specified, LDAP operations are performed with an anonymous ## identity. By default, most LDAP servers will allow anonymous ## access. ## binddn uid=sudo,cn=sysaccounts,cn=etc,dc=domain,dc=com ## BINDPW secret ## The BINDPW parameter specifies the password to use when performing ## LDAP operations. This is typically used in conjunction with the ## BINDDN parameter. ## bindpw ${obfusticated} ## SSL start_tls ## If the SSL parameter is set to start_tls, the LDAP server connec‐ ## tion is initiated normally and TLS encryption is begun before the ## bind credentials are sent. This has the advantage of not requiring ## a dedicated port for encrypted communications. This parameter is ## only supported by LDAP servers that honor the start_tls extension, ## such as the OpenLDAP and Tivoli Directory servers. ## ssl start_tls ## TLS_CACERTFILE file name ## The path to a certificate authority bundle which contains the cer‐ ## tificates for all the Certificate Authorities the client knows to ## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup‐ ## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries ## use the same certificate database for CA and client certificates ## (see TLS_CERT). ## tls_cacertfile /etc/ipa/ca.crt ## TLS_CHECKPEER on/true/yes/off/false/no ## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐ ## cated to be verified. If the server's TLS certificate cannot be ## verified (usually because it is signed by an unknown certificate ## authority), sudo will be unable to connect to it. If TLS_CHECKPEER ## is disabled, no check is made. Note that disabling the check cre‐ ## ates an opportunity for man-in-the-middle attacks since the ## server's identity will not be authenticated. If possible, the CA's ## certificate should be installed locally so it can be verified. ## This option is not supported by the Tivoli Directory Server LDAP ## libraries. tls_checkpeer yes ## ## URI ldap[s]://[hostname[:port]] ... ## Specifies a whitespace-delimited list of one or more ## URIs describing the LDAP server(s) to connect to. ## uri ldap://freeipaserver1 ldap://freeipaserver2 ## ## SUDOERS_BASE base ## The base DN to use when performing sudo LDAP queries. ## Multiple SUDOERS_BASE lines may be specified, in which ## case they are queried in the order specified. ## sudoers_base ou=sudoers,dc=domain,dc=com ## ## BIND_TIMELIMIT seconds ## The BIND_TIMELIMIT parameter specifies the amount of ## time to wait while trying to connect to an LDAP server. ## #bind_timelimit 30 ## ## TIMELIMIT seconds ## The TIMELIMIT parameter specifies the amount of time ## to wait for a response to an LDAP query. ## #timelimit 30 ## ## SUDOERS_DEBUG debug_level ## This sets the debug level for sudo LDAP queries. Debugging ## information is printed to the standard error. A value of 1 ## results in a moderate amount of debugging information. ## A value of 2 shows the results of the matches themselves. ## sudoers_debug 0 And your nsswitch.conf change the sudoers line to: sudoers: files ldap sss On a side note the setting the nisdomain parameter in rc.local is a hack at best. This should be set, on a Red Hat based system (RHEL, CENTOS, etc), in /etc/sysconfig/network. And should look like NISDOMAIN=your.domain.here. The professionals may say otherwise on switching to ldap based auth/sudo access, and I will learn something. At least this gets you up and running until an actual solution is found. As I stated earlier, I believe I had found a bug report on this, I am just having a hard time finding it again. Thanks, Bill On Mon Aug 25 05:33:51 2014, Megan . wrote: > ok. Changed debug_level to 7. I already it in the domain section (first > line). > > > > Not sure if this makes a difference > > [root@map1 pam.d]# cat system-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth required pam_tally2.so deny=5 > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 > password sufficient pam_unix.so sha512 shadow nullok > try_first_pass use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > > > > > from sssd_sudo.log > > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [accept_fd_handler] (0x0400): > Client connected! > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_cmd_get_version] > (0x0200): Received client version [1]. > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_cmd_get_version] > (0x0200): Offered version [1]. > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'tuser2' matched without domain, user is tuser2 > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): using default domain [(null)] > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'tuser2' matched without domain, user is tuser2 > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): using default domain [(null)] > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting default options for [tuser2] from [<ALL>] > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [tus...@server.domain.com] > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [tus...@server.domain.com] > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > Retrieving default options for [tuser2] from [server.domain.com] > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408969900)))] > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(name=defaults)))] > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] > [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for > [<default options>@server.domain.com] > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'tuser2' matched without domain, user is tuser2 > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): using default domain [(null)] > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'tuser2' matched without domain, user is tuser2 > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): using default domain [(null)] > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting rules for [tuser2] from [<ALL>] > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [tus...@server.domain.com] > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [tus...@server.domain.com] > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > Retrieving rules for [tuser2] from [server.domain.com] > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408969900)))] > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*)))] > (Mon Aug 25 12:31:40 2014) [sssd[sudo]] > [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for > [tus...@server.domain.com] > (Mon Aug 25 12:31:42 2014) [sssd[sudo]] [client_recv] (0x0200): Client > disconnected! > > > > > > > > > from sssd_server.log > > > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [be_get_subdomains] (0x0400): Got get subdomains [not forced][] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [be_get_subdomains] (0x0400): Cannot proceed, provider is offline. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [be_get_subdomains] (0x1000): Request processed. Returned > 1,11,Provider is offline > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [be_get_account_info] (0x0100): Got request for > [4098][1][idnumber=1079600005] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast > reply - offline > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [get_port_status] (0x1000): Port status of port 0 for server '(no > name)' is 'neutral' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [resolve_srv_send] (0x0200): The status of SRV lookup is neutral > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [resolve_srv_send] (0x0400): SRV resolution of service 'IPA'. Will use > DNS discovery domain 'server.domain.com' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [resolve_srv_cont] (0x0100): Searching for servers via SRV query > '_ldap._tcp.server.domain.com' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of > '_ldap._tcp.server.domain.com' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [request_watch_destructor] (0x0400): Deleting request watch > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as > 'not working' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as > 'not resolved' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV > lookup meta-server), resolver returned (5) > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [be_resolve_server_process] (0x1000): Trying with the next one! > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [get_server_status] (0x1000): Status of server > 'dir1.server.domain.com' is 'name resolved' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [get_port_status] (0x1000): Port status of port 0 for server > 'dir1.server.domain.com' is 'neutral' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [get_server_status] (0x1000): Status of server > 'dir1.server.domain.com' is 'name resolved' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [be_resolve_server_process] (0x0200): Found address for server > dir1.server.domain.com: [10.10.26.148] TTL 7200 > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [ipa_resolve_callback] (0x0400): Constructed uri > 'ldap://dir1.server.domain.com' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for > connecting > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to > [ldap://dir1.server.domain.com:389/??base] with fd [25]. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectclass=*)][]. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [namingContexts] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [supportedControl] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [supportedExtension] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [supportedFeatures] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [supportedLDAPVersion] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [supportedSASLMechanisms] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [domainControllerFunctionality] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [defaultNamingContext] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [highestCommittedUSN] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no > errmsg set > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_kinit_send] (0x0400): Attempting kinit (default, > host/map1.server.domain.com, server.domain.com, 86400) > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service IPA > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [get_server_status] (0x1000): Status of server > 'dir1.server.domain.com' is 'name resolved' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [get_server_status] (0x1000): Status of server > 'dir1.server.domain.com' is 'name resolved' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [be_resolve_server_process] (0x0200): Found address for server > dir1.server.domain.com: [10.10.26.148] TTL 7200 > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get > TGT... > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [create_tgt_req_send_buffer] (0x1000): buffer size: 72 > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt > child > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [write_pipe_handler] (0x0400): All data has been sent! > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [read_pipe_handler] (0x0400): EOF received, client finished > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_tgt_recv] (0x0400): Child responded: 0 > [FILE:/var/lib/sss/db/ccache_server.domain.com], expired on > [1409056143] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_cli_auth_step] (0x0100): expire timeout is 900 > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_cli_auth_step] (0x1000): the connection will expire at > 1408970643 > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: > host/map1.server.domain.com > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [child_sig_handler] (0x1000): Waiting for child [17983]. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [child_sig_handler] (0x0100): child [17983] finished successfully. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [fo_set_port_status] (0x0100): Marking port 0 of server > 'dir1.server.domain.com' as 'working' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [set_server_common_status] (0x0100): Marking server > 'dir1.server.domain.com' as 'working' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_groups_next_base] (0x0400): Searching for groups with base > [cn=accounts,dc=server,dc=domain,dc=com] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(gidNumber=1079600005)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=server,dc=domain,dc=com]. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [modifyTimestamp] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [be_run_online_cb] (0x0080): Going online. Running callbacks. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no > errmsg set > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_groups_process] (0x0400): Search for groups, returned 1 > results. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_has_deref_support] (0x0400): The server supports deref method > OpenLDAP > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_save_group] (0x0400): Processing group tuser2 > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_save_group] (0x1000): Original USN value is not available for > [tuser2]. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_process_ghost_members] (0x0400): The group has 0 members > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_process_ghost_members] (0x0400): Group has 0 members > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_save_group] (0x0400): Storing info for group tuser2 > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_save_grpmem] (0x1000): No members for group [tuser2] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_save_grpmem] (0x0400): Storing members for group tuser2 > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: > 1408969743 > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo > rules > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [get_server_status] (0x1000): Status of server > 'dir1.server.domain.com' is 'working' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [get_port_status] (0x1000): Port status of port 389 for server > 'dir1.server.domain.com' is 'not working' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [get_port_status] (0x0100): Reseting the status of port 389 for server > 'dir1.server.domain.com' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [get_server_status] (0x1000): Status of server > 'dir1.server.domain.com' is 'working' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [be_resolve_server_process] (0x0200): Found address for server > dir1.server.domain.com: [10.10.26.148] TTL 7200 > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_uri_callback] (0x0400): Constructed uri > 'ldap://dir1.server.domain.com' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for > connecting > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to > [ldap://dir1.server.domain.com:389/??base] with fd [26]. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectclass=*)][]. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [namingContexts] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [supportedControl] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [supportedExtension] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [supportedFeatures] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [supportedLDAPVersion] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [supportedSASLMechanisms] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [domainControllerFunctionality] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [defaultNamingContext] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [highestCommittedUSN] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no > errmsg set > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_kinit_send] (0x0400): Attempting kinit (default, > host/dir1.server.domain.com, server.domain.com, 86400) > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service > KERBEROS > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service > 'KERBEROS' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [get_server_status] (0x1000): Status of server > 'dir1.server.domain.com' is 'working' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [get_server_status] (0x1000): Status of server > 'dir1.server.domain.com' is 'working' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [be_resolve_server_process] (0x0200): Found address for server > dir1.server.domain.com: [10.10.26.148] TTL 7200 > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get > TGT... > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [create_tgt_req_send_buffer] (0x1000): buffer size: 72 > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt > child > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [write_pipe_handler] (0x0400): All data has been sent! > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [read_pipe_handler] (0x0400): EOF received, client finished > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Error writing to > key table], expired on [0] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [5] result [4] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [fo_set_port_status] (0x0100): Marking port 389 of server > 'dir1.server.domain.com' as 'not working' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [get_server_status] (0x1000): Status of server > 'dir1.server.domain.com' is 'working' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [get_port_status] (0x1000): Port status of port 389 for server > 'dir1.server.domain.com' is 'not working' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [fo_resolve_service_send] (0x0020): No available servers for service > 'LDAP' > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [child_sig_handler] (0x1000): Waiting for child [17984]. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [child_sig_handler] (0x0100): child [17984] finished successfully. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [be_resolve_server_done] (0x1000): Server resolution failed: 5 > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline > (5 [Input/output error]) > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [be_run_offline_cb] (0x0080): Going offline. Running callbacks. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_sudo_periodical_first_refresh_done] (0x0040): Periodical full > refresh of sudo rules failed [dp_error: 1] ([11]: Resource temporarily > unavailable) > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_sudo_periodical_first_refresh_done] (0x0400): Data provider is > offline. Scheduling another full refresh in 6 minutes. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: > 1408970103 > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: > 1408969743 > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo > rules > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_sudo_periodical_first_refresh_done] (0x0040): Periodical full > refresh of sudo rules failed [dp_error: 1] ([11]: Resource temporarily > unavailable) > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_sudo_periodical_first_refresh_done] (0x0400): Data provider is > offline. Scheduling another full refresh in 8 minutes. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: > 1408970223 > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaNTTrustedDomain][cn=trusts,dc=server,dc=domain,dc=com]. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTFlatName] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTTrustedDomainSID] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no > errmsg set > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=server,dc=domain,dc=com]. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaSecondaryBaseRID] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaIDRangeSize] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTTrustedDomainSID] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no > errmsg set > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sysdb_update_ranges] (0x0400): Adding range > [server.domain.com_id_range]. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sysdb_range_create] (0x0040): Invalid range, expected that either the > secondary base rid or the SID of the trusted domain is set, but not > both or none of them. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sysdb_range_create] (0x0400): Error: 22 (Invalid argument) > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [sysdb_update_ranges] (0x0040): sysdb_range_create failed. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [ipa_subdomains_handler_ranges_done] (0x0040): sysdb_update_ranges > failed. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [delayed_online_authentication_callback] (0x0200): Backend is online, > starting delayed online authentication. > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [remove_krb5_info_files] (0x0200): Could not remove > [/var/lib/sss/pubconf/kpasswdinfo.server.domain.com], [2][No such file > or directory] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [remove_krb5_info_files] (0x0200): Could not remove > [/var/lib/sss/pubconf/kdcinfo.server.domain.com], [2][No such file or > directory] > > (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] > [remove_krb5_info_files] (0x0200): Could not remove > [/var/lib/sss/pubconf/kpasswdinfo.server.domain.com], [2][No such file > or directory] > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=tuser2] > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 1,11,Offline > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [be_pam_handler] (0x0100): Got request with the following data > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): command: PAM_AUTHENTICATE > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): domain: server.domain.com > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): user: tuser2 > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): service: sudo > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): tty: /dev/pts/1 > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): ruser: tuser2 > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): rhost: > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): authtok type: 1 > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): authtok size: 23 > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): newauthtok type: 0 > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): newauthtok size: 0 > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): priv: 0 > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): cli_pid: 17982 > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [cc_residual_is_used] (0x1000): User [1079600005] is still active, > reusing ccache [/tmp/krb5cc_1079600005_Hfzpn4]. > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [check_for_valid_tgt] (0x1000): TGT end time [1409049392]. > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [check_for_valid_tgt] (0x0080): TGT is valid. > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [get_server_status] (0x1000): Status of server > 'dir1.server.domain.com' is 'working' > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [get_port_status] (0x1000): Port status of port 0 for server > 'dir1.server.domain.com' is 'working' > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [get_server_status] (0x1000): Status of server > 'dir1.server.domain.com' is 'working' > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [be_resolve_server_process] (0x0200): Found address for server > dir1.server.domain.com: [10.10.26.148] TTL 7200 > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [ipa_resolve_callback] (0x0400): Constructed uri > 'ldap://dir1.server.domain.com' > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [krb5_find_ccache_step] (0x0080): Saved ccache > FILE:/tmp/krb5cc_1079600005_Hfzpn4 if of different type than ccache in > configuration file, reusing the old ccache > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [sysdb_cache_auth] (0x0100): Hashes do match! > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [be_pam_handler_callback] (0x0100): Backend returned: (1, 9, <NULL>) > [Provider is Offline (Authentication service cannot retrieve > authentication info)] > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [be_pam_handler_callback] (0x0100): Sending result > [9][server.domain.com] > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [be_pam_handler_callback] (0x0100): Sent result [9][server.domain.com] > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [be_pam_handler] (0x0100): Got request with the following data > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): command: PAM_ACCT_MGMT > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): domain: server.domain.com > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): user: tuser2 > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): service: sudo > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): tty: /dev/pts/1 > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): ruser: tuser2 > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): rhost: > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): authtok type: 0 > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): authtok size: 0 > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): newauthtok type: 0 > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): newauthtok size: 0 > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): priv: 0 > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [pam_print_data] (0x0100): cli_pid: 17982 > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [sdap_access_send] (0x0400): Performing access check for user [tuser2] > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for > user [tuser2] > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [hbac_attrs_to_rule] (0x1000): Processing rule [allow_all] > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [hbac_user_attrs_to_rule] (0x1000): Processing users for rule > [allow_all] > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [hbac_get_category] (0x0200): Category is set to 'all'. > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for > rule [allow_all] > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [hbac_get_category] (0x0200): Category is set to 'all'. > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule > [allow_all] > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [hbac_get_category] (0x0200): Category is set to 'all'. > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule > [allow_all] > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [hbac_eval_user_element] (0x1000): [2] groups for [tuser2] > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [hbac_eval_user_element] (0x1000): Added group [ipausers] for user > [tuser2] > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule > [allow_all] > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) > [Success] > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) > [Success] > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [be_pam_handler_callback] (0x0100): Sending result > [0][server.domain.com] > > (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]] > [be_pam_handler_callback] (0x0100): Sent result [0][server.domain.com] > > On Mon, Aug 25, 2014 at 8:11 AM, Jakub Hrozek <jhro...@redhat.com> wrote: >> On Mon, Aug 25, 2014 at 06:51:27AM -0400, Megan . wrote: >>> Good Morning, >>> >>> I'm very new to freeIPA. I'm running centOS 6.5 with freeIPA v3 >>> >>> I have the freeIPA server up but i'm working on getting SUDO >>> configured. Currently i'm having problems getting sudo commands to >>> work on the client. I'm a bit unclear if i have everything configured >>> correctly. The only thing that I can figure out might be an issue, is >>> when i try the sudo command i see a filter search with >>> objectclass=sudoRule but when i check the ldap server it has >> >> These two searches are unrelated. The sudoRule objectlass is what we use >> internally in sssd cache. On the LDAP side, sudoRole is used. >> >> In general, only the [domain] process works with LDAP data, all others >> (nss, pam, sudo, ...) work with cached data that might look totally >> different. >> >>> objectclass=sudoRole, so there are no results. >>> >>> Any ideas? Thank you in advance for any advice. >>> >> >> Can you put debug_level into the domain section as well and increase the >> debug_level of both to 7? >> >>> >>> >>> [tuser2@map1 ~]$ sudo /sbin/iptables -L >>> Enter RSA PIN+token: >>> tuser2 is not allowed to run sudo on map1. This incident will be reported. >>> >>> >>> CLIENT: >>> >>> yum installed libsss_sudo >>> >>> I added "nisdomainname dir1.server.example.com" to /etc/rc.d/rc.local >>> >>> **still not sure what this is for ** >>> Created a sudo user on ldap server >>> ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D "cn=Directory >>> Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com >>> ** >> >> The config file looks good to me. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJT+7CQAAoJEJFMz73A1+zrdHkP/Rn9S3Wl3pfqFQ94EvrXgoVd v3zEgJvlcQJIV2cqByLYIJjGhk9rIco6qalr1CjE2YRFgbCuOCKZ9p/tQ91sNiIh jI3NX1Co2lxUVPuIWXjXT2Q0TzrU0Dw0nz+NWgr3Ucb5J5O42Jp15itctoyC585e REmbzkxKKgMb8Db38+xTWBGLs96uC6TkAcd1gqS03227dCxWSoNkdxAzwk1AM0ug KE2g+drPGxTCQbHHhbXfGtMMR/rM35H/l7J0sIu9IU/zPeKpJ0kIgp6z4X/sFMEm ZMce/zSpo67zHs5PLjtjAb5GUCNlM5r80faVcTW0A/s4Vm9ILNFszjvX4BKxdPU0 vqk5AU+m3SfY08h7cLZVV+i1hwmhJJ3yZf/Jzm1X6Ia6UjzQLQjQtbJ1tpKz/hAn EBipEEuoJpupYzOb/YnpXvIuOLCh7ovPzQ0t8e3WOKDMY0v8MFfiB9SsU4rC66Z1 WkoOUKLL+XLWKTPwAxe0SZs+4rLSSZRvoGpe7R63I/YjjYNVeB7KpHuNEdwmRZpi Z58Xv5Foj1niggr+cqPp6cf5nBo+vM0AnWkGW/7pgaEU0slHPMDc6VPSesqPVGOk KxiCeXwyaP2DTEEpadwA+dZW8VGoGaDoEq3mSLAlx3F9wRZvosaoL6d4vzO+Ezs+ nQURME5XMxJ8nuxr4jwX =dZHC -----END PGP SIGNATURE----- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project