Dear freeipa users/admins,
I'm trying to implement freeipa in our company, so that our Unix admins can
authenticate on Linux servers using their Windows AD account.
Following this guide it seems to work
well, they can login without problems.
What I cannot make working is sudo from their AD accounts on Linux.

No matter what I try, it is still:

sudo systemctl restart httpd
[sudo] password for
Sorry, try again.

Here's our setup:
Freeipa server: CentOS Linux release 7.2.1511 (Core),
Freeipa client: the same

AD domain name:
IPA domain:

When digging in logs and googling, I realized that the problem on client
side could be:

[root@spcss-2t-www ~]# kinit -k
kinit: Cannot determine realm for host (principal host/spcss-2t-www@)

But this seems to work:
[root@spcss-2t-www ~]# kinit
Password for
[root@spcss-2t-www ~]# klist
Default principal:

Valid starting       Expires              Service principal
07/04/2016 09:36:26  07/04/2016 19:36:26  krbtgt/
        renew until 07/05/2016 09:36:23

My /etc/sssd/sssd.conf:

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain =
krb5_realm = LINUXDOMAIN.CZ
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname =
chpass_provider = ipa
ipa_server =
ldap_tls_cacert = /etc/ipa/ca.crt
override_shell = /bin/bash
sudo_provider = ldap
ldap_uri = ldap://
ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/
ldap_sasl_realm = LINUXDOMAIN.CZ
krb5_server =

services = nss, sudo, pam, ssh
config_file_version = 2

domains =
homedir_substring = /home

My /etc/krb5.conf:
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

  default_realm = LINUXDOMAIN.CZ
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}

    pkinit_anchors = FILE:/etc/ipa/ca.crt


Would you please suggest which way to investigate?


Tomas Simecek
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to