I have these logs and cant seem to make sense of them
I have created the hostgroup mailservers and have added the sudo rule that allows the users to execute sudo vim anyfile (Wed Apr 8 09:58:45 2015) [sssd[be[ai.co.zw]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Apr 8 09:58:45 2015) [sssd[be[ai.co.zw]]] [be_resolve_server_process] (0x0200): Found address for server cyclops.ai.co.zw: [41.57.64.54] TTL 300 (Wed Apr 8 09:58:45 2015) [sssd[be[ai.co.zw]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://cyclops.ai.co.zw' (Wed Apr 8 09:58:45 2015) [sssd[be[ai.co.zw]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'cyclops.ai.co.zw' as 'working' (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [set_server_common_status] (0x0100): Marking server 'cyclops.ai.co.zw' as 'working' (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'cyclops.ai.co.zw' as 'working' (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [switch_creds] (0x0200): Switch user to [1468200000][1468200000]. (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [switch_creds] (0x0200): Switch user to [0][0]. (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [safe_remove_old_ccache_file] (0x0400): New and old ccache file are the same, none will be deleted. (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sending result [0][ai.co.zw] (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sent result [0][ai.co.zw] (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [child_sig_handler] (0x0100): child [1794] finished successfully. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_req_set_domain] (0x0400): Changing request domain from [ai.co.zw] to [ai.co.zw] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): domain: ai.co.zw (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): user: admin (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): service: sudo (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): ruser: admin (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): rhost: (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): priv: 0 (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): cli_pid: 1793 (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_access_send] (0x0400): Performing access check for user [admin] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [admin] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=ironhide.ai.co.zw))][cn=accounts,dc=ai,dc=co,d c=zw]. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn=ironhide.ai.co.zw,cn=computers,cn=accounts,dc=ai,dc=co,dc=zw] using OpenLDAP deref (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=ironhide.ai.co.zw,cn=computers,cn=accounts,dc=ai,dc=co,dc=zw]. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_hostgroup_info_done] (0x0200): Dereferenced host group: mailservers (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=ai,dc=co,dc=zw][2][(objectClass=ipaHBACService)] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=ai,dc=co,dc=zw]. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=ai,dc=co,dc=zw][2][(objectClass=ipaHBACServiceGroup)] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=ai,dc=co,dc=zw]. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=ai,dc=co,dc=zw][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TR UE)(|(hostCategory=all)(memberHost=fqdn=ironhide.ai.co.zw,cn=computers,cn=ac counts,dc=ai,dc=co,dc=zw)(memberHost=cn=mailservers,cn=hostgroups,cn=account s,dc=ai,dc=co,dc=zw)(memberHost=ipaUniqueID=bacaa788-dac0-11e4-93fe-52540014 3fc1,cn=sudorules,cn=sudo,dc=ai,dc=co,dc=zw)(memberHost=cn=mailservers,cn=ng ,cn=alt,dc=ai,dc=co,dc=zw)))] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(member Host=fqdn=ironhide.ai.co.zw,cn=computers,cn=accounts,dc=ai,dc=co,dc=zw)(memb erHost=cn=mailservers,cn=hostgroups,cn=accounts,dc=ai,dc=co,dc=zw)(memberHos t=ipaUniqueID=bacaa788-dac0-11e4-93fe-525400143fc1,cn=sudorules,cn=sudo,dc=a i,dc=co,dc=zw)(memberHost=cn=mailservers,cn=ng,cn=alt,dc=ai,dc=co,dc=zw)))][ cn=hbac,dc=ai,dc=co,dc=zw]. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [allow_all] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=ai,dc=co,dc=zw]. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with following parameters: [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=a i,dc=co,dc=zw] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=ai,d c=co,dc=zw]. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sending result [0][ai.co.zw] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sent result [0][ai.co.zw] -----Original Message----- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek Sent: Wednesday, April 08, 2015 9:40 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration On Wed, Apr 08, 2015 at 09:25:33AM +0200, Chamambo Martin wrote: > Good day > > I am running FreeIPA, version: 4.1.0 and everything is working well > except SUDO configuration. > > I have 3 questions > > 1: I have configured the bare minimum sudo configuration without > hostgroups and netgroups , just sudo commands and sudo command groups > that have been added as sudo rules .....this should work right > 2: I have centos 6.6 and redhat 6.6 clients using the > sssd service ,is that enough for sudo to work if the configs are as > below Didn't you start exactly the same thread yesterday? :-) Can you provide the sudo responder logs as we asked yesterday? > > > cat /etc/nsswitch.conf > > sudoers: files sss > > cat /etc/sssd/sssd.conf > > [domain/ai.co.zw] > > debug_level=6 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = ai.co.zw > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = ironhide.ai.co.zw > chpass_provider = ipa > ipa_server = _srv_, cyclops.ai.co.zw > ldap_tls_cacert = /etc/ipa/ca.crt > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > > domains = ai.co.zw > [nss] > homedir_substring = /home > > [pam] > > [sudo] > > [autofs] > > [ssh] > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project