Hi Danila and other freeipa gurus, sorry for my late answer, there is a bank holiday in CZ and I am off work these two days. Yes, /etc/nsswitch.conf is fine, see:
[root@spcss-2t-www ~]# cat /etc/nsswitch.conf |grep sudo sudoers: files sss I think it is set up as part of freeipa-client package. I went through this guide: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO so I guess things are set right. When I try to sudo as domain user, sssd_linuxdomain.cz.log says followng: (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.sudoHandler on path /org/freedesktop/sssd/dataprovider (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_sudo_handler] (0x0400): Entering be_sudo_handler() (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_handler] (0x0400): Issuing a refresh of specific sudo rules (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [ou=sudoers,dc=linuxdomain,dc=cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(&(objectClass=sudoRole)(|(cn=Pokusne)))(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost= spcss-2t-www.linuxdomain.cz )(sudoHost=spcss-2t-www)(sudoHost=10.1.62.88)(sudoHost= 10.1.62.0/24)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][ou=sudoers,dc=linuxdomain,dc=cz ]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAs] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 6 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 6 timeout 6 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23893178c0], connected[1], ops[0x7f23893168e0], ldap[0x7f2389333ff0] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=Pokusne,ou=sudoers,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoCommand] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoHost] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoUser] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23893178c0], connected[1], ops[0x7f23893168e0], ldap[0x7f2389333ff0] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 6 finished (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [ou=sudoers,dc=linuxdomain,dc=cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_refresh_load_done] (0x0400): Received 1 rules (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_sudo_purge_byname] (0x2000): Deleting sudo rule Pokusne (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_save_sudorule] (0x0400): Adding sudo rule Pokusne (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_refresh_load_done] (0x0400): Sudoers is successfuly stored in cache (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_set_usn] (0x0200): SUDO higher USN value: [16136] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_sudo_handler_reply] (0x0200): SUDO Backend returned: (0, 0, Success) (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23893178c0], connected[1], ops[(nil)], ldap[0x7f2389333ff0] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info] (0x0200): Got request for [0x1002][1][name=grpunixadmins] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [linuxdomain.cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=linuxdomain,dc=cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=grpunixadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 22 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 22 timeout 6 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23892e20d0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23892e20d0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 22 finished (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_process_send] (0x2000): About to process group [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): No such entry (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_process_send] (0x2000): Looking up 1/1 members of group [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_process_send] (0x2000): Members of group [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] will be processed individually (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 23 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 23 timeout 6 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f2389358c20], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f2389358c20], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f2389358c20], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 23 finished (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and setting GID=0! (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_process_send] (0x2000): About to process group [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_recv] (0x0400): 2 groups found in the hash table (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_primary_name] (0x0400): Processing object grpunixadmins (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x0400): Processing group grpunixadmins (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x2000): This is a posix group (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to attributes of [grpunixadmins]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160629090835Z] to attributes of [grpunixadmins]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x0400): Storing info for group grpunixadmins (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_primary_name] (0x0400): Processing object ad_admins_external (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x0400): Processing group ad_admins_external (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x2000): This is not a posix group (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to attributes of [ad_admins_external]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160629090835Z] to attributes of [ad_admins_external]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_ghost_members] (0x0400): The group has 0 members (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_ghost_members] (0x0400): Group has 0 members (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x0400): Storing info for group ad_admins_external (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_primary_name] (0x0400): Processing object grpunixadmins (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): Processing group grpunixadmins (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): Adding member users to group [grpunixadmins] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_fill_memberships] (0x1000): member #0 (cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz): [name=ad_admins_external,cn=groups,cn=linuxdomain.cz,cn=sysdb] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_primary_name] (0x0400): Processing object ad_admins_external (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): Processing group ad_admins_external (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): Failed to get group sid (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): No members for group [ad_admins_external] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_done] (0x2000): No external members, done(Wed Jul 6 15:19:54 2016) [sssd[be[ linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:linuxdomain.cz:1f46c9d8-3c33-11e6-9653-005056961bfa))][cn=Default Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 24 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 24 timeout 60 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23892e20d0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23892e20d0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 24 finished (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[(nil)], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=simecek.tomas] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 25 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 25 timeout 60 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893168e0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 25 finished (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 26 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 26 timeout 6 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893290a0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893290a0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 26 finished (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_by_name] (0x0400): No such entry (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 27 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 27 timeout 6 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893290a0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893290a0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 27 finished (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for [email protected] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_update_members_ex] (0x0020): Could not add member [ [email protected]] to group [[email protected] ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for [email protected] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_update_members_ex] (0x0020): Could not add member [ [email protected]] to group [[email protected] ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[(nil)], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): command: SSS_PAM_PREAUTH (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): domain: sd-stc.cz (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): user: [email protected] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): service: sudo (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): ruser: [email protected] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): rhost: (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): priv: 0 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): cli_pid: 32185 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): logon name: not set (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [[email protected]] is empty, running request [0x7f2389359480] immediately. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x0200): Found address for server svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1199 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [32186] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [32186] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'svlxxipap.linuxdomain.cz' as 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [set_server_common_status] (0x0100): Marking server ' svlxxipap.linuxdomain.cz' as 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'svlxxipap.linuxdomain.cz' as 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] (0x1000): Wait queue for user [[email protected]] is empty. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f2389359480] done. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success (Success)] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x1000): Waiting for child [32186]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x0100): child [32186] finished successfully. I'll appreciate any other hints if you have some. Thanks, Tomas Simecek 2016-07-05 15:58 GMT+02:00 Danila Ladner <[email protected]>: > What about /etc/nsswitch.conf? > Does it have "sudo: files sss"? > > On Mon, Jul 4, 2016 at 3:50 AM, Tomas Simecek <[email protected]> > wrote: > >> Dear freeipa users/admins, >> I'm trying to implement freeipa in our company, so that our Unix admins >> can authenticate on Linux servers using their Windows AD account. >> Following this guide >> https://www.freeipa.org/page/Active_Directory_trust_setup it seems to >> work well, they can login without problems. >> What I cannot make working is sudo from their AD accounts on Linux. >> >> No matter what I try, it is still: >> >> sudo systemctl restart httpd >> [sudo] password for [email protected]: >> Sorry, try again. >> >> Here's our setup: >> Freeipa server: CentOS Linux release 7.2.1511 (Core), >> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> Freeipa client: the same >> >> AD domain name: sd-stc.cz >> IPA domain: linuxdomain.cz >> >> When digging in logs and googling, I realized that the problem on client >> side could be: >> >> [root@spcss-2t-www ~]# kinit -k >> kinit: Cannot determine realm for host (principal host/spcss-2t-www@) >> >> But this seems to work: >> [root@spcss-2t-www ~]# kinit [email protected] >> Password for [email protected]: >> [root@spcss-2t-www ~]# klist >> Default principal: [email protected] >> >> Valid starting Expires Service principal >> 07/04/2016 09:36:26 07/04/2016 19:36:26 krbtgt/[email protected] >> renew until 07/05/2016 09:36:23 >> >> My /etc/sssd/sssd.conf: >> [domain/linuxdomain.cz] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = linuxdomain.cz >> krb5_realm = LINUXDOMAIN.CZ >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = spcss-2t-www.linuxdomain.cz >> chpass_provider = ipa >> ipa_server = svlxxipap.linuxdomain.cz >> ldap_tls_cacert = /etc/ipa/ca.crt >> override_shell = /bin/bash >> sudo_provider = ldap >> ldap_uri = ldap://svlxxipap.linuxdomain.cz >> ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz >> ldap_sasl_mech = GSSAPI >> ldap_sasl_authid = host/[email protected] >> ldap_sasl_realm = LINUXDOMAIN.CZ >> krb5_server = svlxxipap.linuxdomain.cz >> >> [sssd] >> services = nss, sudo, pam, ssh >> config_file_version = 2 >> >> domains = linuxdomain.cz >> [nss] >> homedir_substring = /home >> .... >> >> My /etc/krb5.conf: >> #File modified by ipa-client-install >> >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [libdefaults] >> default_realm = LINUXDOMAIN.CZ >> dns_lookup_realm = true >> dns_lookup_kdc = true >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> udp_preference_limit = 0 >> default_ccache_name = KEYRING:persistent:%{uid} >> >> >> [realms] >> LINUXDOMAIN.CZ = { >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> } >> >> >> [domain_realm] >> .linuxdomain.cz = LINUXDOMAIN.CZ >> linuxdomain.cz = LINUXDOMAIN.CZ >> >> Would you please suggest which way to investigate? >> >> Thanks >> >> Tomas Simecek >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
