hi
i have centos 6.7 (ipa server)
and i have centos 6.5 (client)
i can not sudo on client
i add rule sudo on ipa
i config file sss.conf
+++++++

[domain/l.infotechpsp.net]
debug_level = 6
#cache_credentials = True
#krb5_store_password_if_offline = True
ipa_domain = l.infotechpsp.net
id_provider = ipa
#auth_provider = ipa
#access_provider = ipa
#ipa_hostname = switchlive.l.infotechpsp.net
#chpass_provider = ipa
ipa_server = _srv_, ipasrv.l.infotechpsp.net
ldap_tls_cacert = /etc/ipa/ca.crt
sudo_provider = ldap
ldap_uri =ldap://ipasrv.l.infotechpsp.net
ldap_sudo_search_base = ou=sudoers,dc=l,dc=infotechpsp,dc=net
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/ussd7rep.l.infotechpsp.net
ldap_sasl_realm = L.INFOTECHPSP.NET
krb5_server = ipasrv.l.infotechpsp.net
[sssd]
config_file_version = 2

# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3

# If a back end is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam, ssh, sudo

domains = l.infotechpsp.net
[nss]


[pam]
+++++++
in file nsswitch.conf
add sudoers: files sss

and log file /var/log/sss/sss_l.....
+++++

(Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]]
[be_resolve_server_process] (0x0200): Found address for server
ipasrv.l.infotechpsp.net: [10.30.160.19] TTL 1200
(Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]]
[set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child
(Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]]
[write_pipe_handler] (0x0400): All data has been sent!
(Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]]
[read_pipe_handler] (0x0400): EOF received, client finished
(Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]]
[sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/
ccache_L.INFOTECHPSP.NET], expired on [1443085132]
(Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]]
[sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] [sasl_bind_send]
(0x0100): Executing sasl bind mech: GSSAPI, user: host/
ussd7rep.l.infotechpsp.net
(Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
[child_sig_handler] (0x0100): child [12755] finished successfully.
(Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
[fo_set_port_status] (0x0100): Marking port 389 of server '
ipasrv.l.infotechpsp.net' as 'working'
(Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
[set_server_common_status] (0x0100): Marking server '
ipasrv.l.infotechpsp.net' as 'working'
(Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
[sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful
(Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
[sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with
base [ou=sudoers,dc=l,dc=infotechpsp,dc=net]
(Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(&(objectclass=sudoRole)(entryUSN>=128274)(!(entryUSN=128274)))(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=
ussd7rep.l.infotechpsp.net
)(sudoHost=ussd7rep)(sudoHost=10.30.110.11)(sudoHost=
10.30.110.0/24)(sudoHost=fe80::250:56ff:feaf:3ca6)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))][ou=sudoers,dc=l,dc=infotechpsp,dc=net
].
(Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
[sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base
[ou=sudoers,dc=l,dc=infotechpsp,dc=net]
(Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
[sdap_sudo_load_sudoers_done] (0x0400): Received 0 rules
(Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
[sdap_sudo_load_sudoers_done] (0x0400): Sudoers is successfuly stored in
cache
(Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]]
[sdap_sudo_smart_refresh_done] (0x0400): Successful smart refresh of sudo
rules
+++++
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to