Hi,
 I had same issue after upgrading registered Centos 6.5 to 6.6 (and with
new IPA client). New version already contain sudo support, so sssd.conf
doesn't contain it. You can uninstall ipa client and register server again
- keep configuration file generated by IPA client itself (I used puppet for
maintain this file and end up with multiple version chaos because of centos
and IPA versions)


Vasek

example of clean config file (you don't need to setup anything manually):

[domain/xxx.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = xxx.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = server.xxx.com
chpass_provider = ipa
ipa_server = _srv_, ipa.xxx.com
dns_discovery_domain = xxx.com

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2

domains = xxx.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]





On Sat, Jan 3, 2015 at 8:10 PM, Dmitri Pal <d...@redhat.com> wrote:

>  On 01/03/2015 05:14 AM, alireza baghery wrote:
>
>
>
>   hi
> i integrated AD windows 208 R2 with IPA server (centos 6.5)
>  i write policy for user test execute any command on any host
>  user test can execute sudo on cetnos 6.5 but on centos 6.6 can not (sudo
> get error)
>  confige sssd.conf
> =========================
>
> [domain/l.example.com]
> debug_level = 6
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = l.example.com
> id_provider = ipa
> ipa_server = _srv_,ipaserver.l.example.com
> dap_tls_cacert = /etc/ipa/ca.crt
> sudo_provider = ldap
> ldap_uri = ldap://ipasrv.l.example.com
> ldap_sudo_search_base = ou=sudoers,dc=l, dc=example,dc=com
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/ipadevel.l.example.com
> ldap_sasl_realm = L.EXAMPLE.COM
> krb5_server = ipadevel.l.example.com
>
>
>  [sssd]
> config_file_version = 2
> services = nss, pam,ssh,sudo
>
> ============================
>  how to solve this problem
>
>
>
>  Enable sudo debugging and see what happens. Is the command denied or
> there is some other error?
> Generally there are two flavors of errors: something is wrong with a
> connection and no policy gets through or the policies get though but
> something is wrong with this specific policy or configuration.
> To start debugging first rule out connectivity issues.
>
> SUDO and sssd debug logs are your friends.
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>



-- 
-- May the fox be with you ...
   /\
  (~(
   ) )         /\_/\
  (_=---_(@ @)
    (          \   /
    /|/----\|\  V
    " "     " "
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to