On (25/08/14 08:33), Megan . wrote: >ok. Changed debug_level to 7. I already it in the domain section (first >line). > > > >Not sure if this makes a difference > >[root@map1 pam.d]# cat system-auth >#%PAM-1.0 ># This file is auto-generated. ># User changes will be destroyed the next time authconfig is run. >auth required pam_env.so >auth required pam_tally2.so deny=5 >auth sufficient pam_unix.so nullok try_first_pass >auth requisite pam_succeed_if.so uid >= 500 quiet >auth sufficient pam_sss.so use_first_pass >auth required pam_deny.so > >account required pam_unix.so broken_shadow >account sufficient pam_succeed_if.so uid < 500 quiet >account [default=bad success=ok user_unknown=ignore] pam_sss.so >account required pam_permit.so > >password requisite pam_cracklib.so try_first_pass retry=3 >minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 >password sufficient pam_unix.so sha512 shadow nullok >try_first_pass use_authtok >password sufficient pam_sss.so use_authtok >password required pam_deny.so > >session optional pam_keyinit.so revoke >session required pam_limits.so >session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0077 >session [success=1 default=ignore] pam_succeed_if.so service in >crond quiet use_uid >session required pam_unix.so >session optional pam_sss.so > > >from sssd_server.log > > > >(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] >[be_get_subdomains] (0x0400): Got get subdomains [not forced][] > >(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] >[be_get_subdomains] (0x0400): Cannot proceed, provider is offline. > >(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] >[be_get_subdomains] (0x1000): Request processed. Returned >1,11,Provider is offline > >(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] >[be_get_account_info] (0x0100): Got request for >[4098][1][idnumber=1079600005] > >(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] >[be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast >reply - offline
SSSD was in offline mode, sudo rules were not downloaded yet. This is a reason why sudo doesn't work for you. > >(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] >[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > >(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] >[get_port_status] (0x1000): Port status of port 0 for server '(no >name)' is 'neutral' > >(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] >[resolve_srv_send] (0x0200): The status of SRV lookup is neutral > >(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] >[resolve_srv_send] (0x0400): SRV resolution of service 'IPA'. Will use >DNS discovery domain 'server.domain.com' > >(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] >[resolve_srv_cont] (0x0100): Searching for servers via SRV query >'_ldap._tcp.server.domain.com' > >(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] >[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of >'_ldap._tcp.server.domain.com' > >(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] >[request_watch_destructor] (0x0400): Deleting request watch > >(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]] >[resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] > SSSD was not able reo resolv SRV records. There are two explanations: a) you did not install ipa server wit dns (ipaserver-install --setup-dns) b) you don't have ip addres of IPA server in /etc/resolv.conf If you fix this problem, sudo should work. You can test resolving SRV records from command line dig SRV _ldap._tcp.server.domain.com LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project