What about /etc/nsswitch.conf? Does it have "sudo: files sss"? On Mon, Jul 4, 2016 at 3:50 AM, Tomas Simecek <[email protected]> wrote:
> Dear freeipa users/admins, > I'm trying to implement freeipa in our company, so that our Unix admins > can authenticate on Linux servers using their Windows AD account. > Following this guide > https://www.freeipa.org/page/Active_Directory_trust_setup it seems to > work well, they can login without problems. > What I cannot make working is sudo from their AD accounts on Linux. > > No matter what I try, it is still: > > sudo systemctl restart httpd > [sudo] password for [email protected]: > Sorry, try again. > > Here's our setup: > Freeipa server: CentOS Linux release 7.2.1511 (Core), > ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > Freeipa client: the same > > AD domain name: sd-stc.cz > IPA domain: linuxdomain.cz > > When digging in logs and googling, I realized that the problem on client > side could be: > > [root@spcss-2t-www ~]# kinit -k > kinit: Cannot determine realm for host (principal host/spcss-2t-www@) > > But this seems to work: > [root@spcss-2t-www ~]# kinit [email protected] > Password for [email protected]: > [root@spcss-2t-www ~]# klist > Default principal: [email protected] > > Valid starting Expires Service principal > 07/04/2016 09:36:26 07/04/2016 19:36:26 krbtgt/[email protected] > renew until 07/05/2016 09:36:23 > > My /etc/sssd/sssd.conf: > [domain/linuxdomain.cz] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = linuxdomain.cz > krb5_realm = LINUXDOMAIN.CZ > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = spcss-2t-www.linuxdomain.cz > chpass_provider = ipa > ipa_server = svlxxipap.linuxdomain.cz > ldap_tls_cacert = /etc/ipa/ca.crt > override_shell = /bin/bash > sudo_provider = ldap > ldap_uri = ldap://svlxxipap.linuxdomain.cz > ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/[email protected] > ldap_sasl_realm = LINUXDOMAIN.CZ > krb5_server = svlxxipap.linuxdomain.cz > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > domains = linuxdomain.cz > [nss] > homedir_substring = /home > .... > > My /etc/krb5.conf: > #File modified by ipa-client-install > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [libdefaults] > default_realm = LINUXDOMAIN.CZ > dns_lookup_realm = true > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > udp_preference_limit = 0 > default_ccache_name = KEYRING:persistent:%{uid} > > > [realms] > LINUXDOMAIN.CZ = { > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > > [domain_realm] > .linuxdomain.cz = LINUXDOMAIN.CZ > linuxdomain.cz = LINUXDOMAIN.CZ > > Would you please suggest which way to investigate? > > Thanks > > Tomas Simecek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
