Good day I have managed to follow this guide https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/htm l/Deployment_Guide/SSSD-Troubleshooting.html#idp21135920 and I have configured my sssd.conf file as follows
PLEASE NOTE THAT THE SAME USER IS WORKING ON RHEL 6 AND CENTOS 6 CLIENTS so sudo is working on the other clients except this centos 5 machine [root@pinnochio db]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam domains = ai.co.zw [nss] [sudo] [pam] debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ai.co.zw id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, cyclops.ai.co.zw ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://cyclops.ai.co.zw ldap_sudo_search_base = ou=sudoers,dc=cyclops,dc=ai,dc=co,dc=zw ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/pinnochio.ai.co.zw ldap_sasl_realm = AI.CO.ZW krb5_server = cyclops.ai.co.zw [root@pinnochio db]# And im still getting [admin@pinnochio ~]$ sudo -l [sudo] password for admin: Sorry, user admin may not run sudo on pinnochio. [admin@pinnochio ~]$ Error message below when debug level is set at 6 (Thu Apr 9 09:32:01 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(uid=admin)(objectclass=posixAccount))][cn=accounts,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_save_user] (6): Storing info for user admin (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=admins,cn=groups,cn=accounts,dc=ai,dc =co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Replication Administrators,cn=privileges,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Replication Administrators,cn=privileges,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Modify DNA Range,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Modify DNA Range,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Read DNA Range,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Read DNA Range,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Host Enrollment,cn=privileges,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Host Enrollment,cn=privileges,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=trust admins,cn=groups,cn=accounts,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=trust admins,cn=groups,cn=accounts,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [be_pam_handler] (4): Got request with the following data (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): command: PAM_AUTHENTICATE (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): domain: ai.co.zw (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): user: admin (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): service: sudo (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): tty: /dev/pts/3 (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): ruser: (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): rhost: (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): authtok type: 1 (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): authtok size: 10 (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): newauthtok type: 0 (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): newauthtok size: 0 (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): priv: 0 (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): cli_pid: 3809 (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [check_for_valid_tgt] (3): TGT is valid. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [fo_resolve_service_send] (4): Trying to resolve service 'IPA' (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [get_server_status] (4): Hostname resolution expired, resetting the server status of 'cyclops.ai.co.zw' (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [set_server_common_status] (4): Marking server 'cyclops.ai.co.zw' as 'name not resolved' (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [resolv_gethostbyname_files_send] (4): Trying to resolve A record of 'cyclops.ai.co.zw' in files (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [set_server_common_status] (4): Marking server 'cyclops.ai.co.zw' as 'resolving name' (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [resolv_gethostbyname_files_send] (4): Trying to resolve AAAA record of 'cyclops.ai.co.zw' in files (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [resolv_gethostbyname_next] (5): No more address families to retry (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [resolv_gethostbyname_dns_query] (4): Trying to resolve A record of 'cyclops.ai.co.zw' in DNS (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [set_server_common_status] (4): Marking server 'cyclops.ai.co.zw' as 'name resolved' (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [be_resolve_server_done] (4): Found address for server cyclops.ai.co.zw: [41.57.64.54] TTL 300 (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [ipa_resolve_callback] (6): Constructed uri 'ldap://cyclops.ai.co.zw' (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [write_pipe_handler] (6): All data has been sent! (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [read_pipe_handler] (6): EOF received, client finished (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [fo_set_port_status] (4): Marking port 0 of server 'cyclops.ai.co.zw' as 'working' (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [set_server_common_status] (4): Marking server 'cyclops.ai.co.zw' as 'working' (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) [Success] (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (4): Sending result [0][ai.co.zw] (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (4): Sent result [0][ai.co.zw] (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [child_sig_handler] (4): child [3842] finished successfully. (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [be_pam_handler] (4): Got request with the following data (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): command: PAM_ACCT_MGMT (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): domain: ai.co.zw (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): user: admin (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): service: sudo (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): tty: /dev/pts/3 (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): ruser: (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): rhost: (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): authtok type: 0 (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): authtok size: 0 (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): newauthtok type: 0 (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): newauthtok size: 0 (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): priv: 0 (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): cli_pid: 3809 (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [sdap_access_send] (6): Performing access check for user [admin] (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [sdap_account_expired_rhds] (6): Performing RHDS access check for user [admin] (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=pinnochio.ai.co.zw))][dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(null)][cn=mailservers,cn=hostgroups,cn=accounts,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(objectClass=ipaHBACService)][dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(member Host=fqdn=pinnochio.ai.co.zw,cn=computers,cn=accounts,dc=ai,dc=co,dc=zw)(mem berHost=cn=mailservers,cn=hostgroups,cn=accounts,dc=ai,dc=co,dc=zw)(memberHo st=ipaUniqueID=bacaa788-dac0-11e4-93fe-525400143fc1,cn=sudorules,cn=sudo,dc= ai,dc=co,dc=zw)(memberHost=cn=mailservers,cn=ng,cn=alt,dc=ai,dc=co,dc=zw)(me mberHost=ipaUniqueID=53caae2a-ddf4-11e4-b324-525400143fc1,cn=sudorules,cn=su do,dc=ai,dc=co,dc=zw)))][dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [hbac_get_category] (5): Category is set to 'all'. (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [hbac_get_category] (5): Category is set to 'all'. (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [hbac_get_category] (5): Category is set to 'all'. (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule [allow_all] (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) [Success] (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (4): Sending result [0][ai.co.zw] (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (4): Sent result [0][ai.co.zw] -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dmitri Pal Sent: Thursday, April 09, 2015 3:47 AM To: [email protected] Subject: Re: [Freeipa-users] Configuring SUDO on centos and RHEL 5 clients On 04/08/2015 09:04 PM, Martin Chamambo wrote: > I managed to install my ipa client on centos 5 using this command > below > > ipa-client-install --server cyclops.ai.co.zw --domain ai.co.zw > > > and it worked perfectly , i can getent passwd xxxx for users in the freeIPA server which is good. > > I am now trying to configure SUDO on centos and there seem to be mixed > views on how i can get it working but i have actually embraced the > following > > Use SSSD, don't use nslcd or anything that has pam_ldap or ldapd in > the name > > and here are my configs > > cat /etc/nsswitch > > sudoers: files sss > > > cat /etc/sssd/sssd.conf > > [root@pinnochio ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version > = 2 services = nss, pam > > > domains = ai.co.zw > [nss] > > [sudo] > > [pam] > > > [domain/ai.co.zw] > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = ai.co.zw > id_provider = ipa > auth_provider = ipa > access_provider = ipa > chpass_provider = ipa > ipa_server = _srv_, cyclops.ai.co.zw > ldap_tls_cacert = /etc/ipa/ca.crt > > > wanted to add sudo services and ssh services on the Line services = > nss, pam and kept getting error > > (Thu Apr 9 02:04:35 2015) [sssd] [get_monitor_config] (0): Invalid > service sudo (Thu Apr 9 02:04:36 2015) [sssd] [get_monitor_config] > (0): Invalid service sudo (Thu Apr 9 02:08:27 2015) [sssd] > [get_monitor_config] (0): Invalid service sudo (Thu Apr 9 02:08:59 > 2015) [sssd] [get_monitor_config] (0): Invalid service sudo (Thu Apr > 9 02:09:35 2015) [sssd] [get_monitor_config] (0): Invalid service sudo > (Thu Apr 9 02:10:05 2015) [sssd] [get_monitor_config] (0): Invalid > service ssh > > > i guess there is a different way of configuring SUDO on RHEL 5 or > centos 5 > > The sudo and ssh support was added later than the version of SSSD that runs on CentOS5. Also the version of the sudo on 5 does not have integration with SSSD yet. The recommended approach is to configure sudo using its own LDAP capabilities as documented in the sudo manuals and man pages for that version. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
