Thanx Jakub for pointing me to the right direction .This is what I have now and I have increased the debug level during troubleshooting
[domain/ai.co.zw] debug_level=3 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ai.co.zw id_provider = ipa sudo_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ironhide.ai.co.zw chpass_provider = ipa ipa_server = _srv_, cyclops.ai.co.zw ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = ai.co.zw [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] Error messages from /var/log/sssd/sssd_ai.co.zw when debug level is set at 4 [root@ironhide ~]# tail -f /var/log/sssd/sssd_ai.co.zw.log (Tue Apr 7 13:53:42 2015) [sssd[be[ai.co.zw]]] [set_server_common_status] (0x0100): Marking server 'cyclops.ai.co.zw' as 'working' (Tue Apr 7 13:53:42 2015) [sssd[be[ai.co.zw]]] [be_run_online_cb] (0x0080): Going online. Running callbacks. (Tue Apr 7 13:53:42 2015) [sssd[be[ai.co.zw]]] [sysdb_range_create] (0x0040): Invalid range, skipping. Expected that either the secondary base RID or the SID of the trusted domain is set, but not both or none of them. (Tue Apr 7 13:53:42 2015) [sssd[be[ai.co.zw]]] [sysdb_range_create] (0x0040): Invalid range, skipping. Expected that either the secondary base RID or the SID of the trusted domain is set, but not both or none of them. (Tue Apr 7 13:53:42 2015) [sssd[be[ai.co.zw]]] [ipa_subdomains_handler_master_done] (0x0020): Master domain record not found! (Tue Apr 7 13:53:42 2015) [sssd[be[ai.co.zw]]] [ipa_subdomains_handler_master_done] (0x0020): Master domain record not found! (Tue Apr 7 13:53:43 2015) [sssd[be[ai.co.zw]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=postfix] (Tue Apr 7 13:53:43 2015) [sssd[be[ai.co.zw]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Apr 7 13:53:43 2015) [sssd[be[ai.co.zw]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Apr 7 13:53:43 2015) [sssd[be[ai.co.zw]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Tue Apr 7 13:53:58 2015) [sssd[be[ai.co.zw]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=postfix] (Tue Apr 7 13:53:58 2015) [sssd[be[ai.co.zw]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Apr 7 13:53:58 2015) [sssd[be[ai.co.zw]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Apr 7 13:53:58 2015) [sssd[be[ai.co.zw]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [be_get_account_info] (0x0100): Got request for [3][1][name=admin] (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): domain: ai.co.zw (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): user: admin (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): service: sudo (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): ruser: admin (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): rhost: (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): authtok type: 1 (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): priv: 0 (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): cli_pid: 2377 (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'cyclops.ai.co.zw' as 'working' (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [set_server_common_status] (0x0100): Marking server 'cyclops.ai.co.zw' as 'working' (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sending result [0][ai.co.zw] (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sent result [0][ai.co.zw] (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [child_sig_handler] (0x0100): child [2379] finished successfully. (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): domain: ai.co.zw (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): user: admin (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): service: sudo (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): ruser: admin (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): rhost: (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): authtok type: 0 (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): priv: 0 (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): cli_pid: 2377 (Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] (Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sending result [0][ai.co.zw] (Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sent result [0][ai.co.zw] ^C -----Original Message----- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Tuesday, April 07, 2015 12:58 PM To: Chamambo Martin Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0 On Tue, Apr 07, 2015 at 12:48:37PM +0200, Chamambo Martin wrote: > Sorry for the confusion about that one ,that client I used to > aunthenticate to a pure 389 directory server and I have since changed > it to free ipa and below is the correct configuration. > > I managed to add the line sudo_provider = ipa and im getting the below > error on my client I don't see it added to the config. If it's added, the next steps would be to add debug_level to the sudo and domain sections. https://fedorahosted.org/sssd/wiki/Troubleshooting has some notes on gathering the debug logs. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project