Hi, I had same issue after upgrading registered Centos 6.5 to 6.6 (and with new IPA client). New version already contain sudo support, so sssd.conf doesn't contain it. You can uninstall ipa client and register server again - keep configuration file generated by IPA client itself (I used puppet for maintain this file and end up with multiple version chaos because of centos and IPA versions)
Vasek example of clean config file (you don't need to setup anything manually): [domain/xxx.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = xxx.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = server.xxx.com chpass_provider = ipa ipa_server = _srv_, ipa.xxx.com dns_discovery_domain = xxx.com [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = xxx.com [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] On Sat, Jan 3, 2015 at 8:10 PM, Dmitri Pal <d...@redhat.com> wrote: > On 01/03/2015 05:14 AM, alireza baghery wrote: > > > > hi > i integrated AD windows 208 R2 with IPA server (centos 6.5) > i write policy for user test execute any command on any host > user test can execute sudo on cetnos 6.5 but on centos 6.6 can not (sudo > get error) > confige sssd.conf > ========================= > > [domain/l.example.com] > debug_level = 6 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = l.example.com > id_provider = ipa > ipa_server = _srv_,ipaserver.l.example.com > dap_tls_cacert = /etc/ipa/ca.crt > sudo_provider = ldap > ldap_uri = ldap://ipasrv.l.example.com > ldap_sudo_search_base = ou=sudoers,dc=l, dc=example,dc=com > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/ipadevel.l.example.com > ldap_sasl_realm = L.EXAMPLE.COM > krb5_server = ipadevel.l.example.com > > > [sssd] > config_file_version = 2 > services = nss, pam,ssh,sudo > > ============================ > how to solve this problem > > > > Enable sudo debugging and see what happens. Is the command denied or > there is some other error? > Generally there are two flavors of errors: something is wrong with a > connection and no policy gets through or the policies get though but > something is wrong with this specific policy or configuration. > To start debugging first rule out connectivity issues. > > SUDO and sssd debug logs are your friends. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -- -- May the fox be with you ... /\ (~( ) ) /\_/\ (_=---_(@ @) ( \ / /|/----\|\ V " " " "
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project