Diky Jakube, in domain log below I can see that rules were found properly: (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sudo] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sudo-i] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [Unixari na test servery]
It also matches the rule and says "Access granted": (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_host_attrs_to_rule] (0x1000): [fqdn=spcss-2t-www.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] does not map to either a host or hostgroup. Skipping (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_host_attrs_to_rule] (0x2000): Added host [zp-cml-test.linuxdomain.cz] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x1000): [1] groups for [simecek.to...@sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [ simecek.to...@sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [Unixari na test servery] It also mentiones SELinux, but I know it is disabled. Any idea what to check next please? Full part of the log follows: (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info] (0x0100): Got request for [3][1][name=simecek.tomas] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [ipa_get_subdom_acct_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,Account info lookup failed (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): domain: sd-stc.cz (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): user: simecek.to...@sd-stc.cz (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): service: sudo (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): ruser: simecek.to...@sd-stc.cz (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): rhost: (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): authtok type: 1 (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): priv: 0 (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): cli_pid: 27305 (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [switch_creds] (0x0200): Switch user to [988604700][988604700]. (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [switch_creds] (0x0200): Switch user to [0][0]. (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is 'working' (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x0200): Found address for server svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 601 (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// svlxxipap.linuxdomain.cz' (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [27310] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [27310] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_get_subdomains] (0x0400): Got get subdomains [forced][SD-STC] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSecondaryBaseRID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaRangeType] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 21 (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1f060], ldap[0x1f03170] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1f060], ldap[0x1f03170] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1f060], ldap[0x1f03170] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 22 (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f123f0], ldap[0x1f03170] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f123f0], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f123f0], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 23 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f60480], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f60480], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f60480], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, <NULL>) [Success] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x1000): Waiting for child [27310]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x0100): child [27310] finished successfully. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][3][45]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741822][24]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): TGT times are [1468404320][1468404320][1468440320][1468490720]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][6][8]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'svlxxipap.linuxdomain.cz' as 'working' (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [set_server_common_status] (0x0100): Marking server ' svlxxipap.linuxdomain.cz' as 'working' (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'svlxxipap.linuxdomain.cz' as 'working' (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [switch_creds] (0x0200): Switch user to [988604700][988604700]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sss_krb5_check_ccache_princ] (0x2000): Searching for [ simecek.to...@sd-stc.cz] in cache of type [FILE] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [switch_creds] (0x0200): Switch user to [0][0]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [safe_remove_old_ccache_file] (0x0400): New and old ccache file are the same, none will be deleted. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info] (0x0100): Got request for [3][1][name=simecek.tomas] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_get_subdom_acct_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,Account info lookup failed (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): domain: sd-stc.cz (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): user: simecek.to...@sd-stc.cz (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): service: sudo (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): ruser: simecek.to...@sd-stc.cz (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): rhost: (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): priv: 0 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): cli_pid: 27305 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_access_send] (0x0400): Performing access check for user [simecek.to...@sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [simecek.to...@sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=zp-cml-test.linuxdomain.cz ))][cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 24 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [fqdn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [serverHostname] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSshPubKey] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x2000): Total count [0] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn= zp-cml-test.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] using OpenLDAP deref (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=zp-cml-test.linuxdomain.cz ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 25 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x2000): Total count [0] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACService)] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 26 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x2000): Total count [0] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACServiceGroup)] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 27 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x2000): Total count [0] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linuxdomain,dc=cz][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn= zp-cml-test.linuxdomain.cz ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn= zp-cml-test.linuxdomain.cz ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))][cn=hbac,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 28 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaenabledflag] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [accessRuleType] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberUser] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberService] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberHost] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x2000): Total count [0] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_attrs_to_rule] (0x1000): Processing rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): No such entry (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [grpunixadmins] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sudo] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sudo-i] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_host_attrs_to_rule] (0x1000): [fqdn=spcss-2t-www.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] does not map to either a host or hostgroup. Skipping (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_host_attrs_to_rule] (0x2000): Added host [zp-cml-test.linuxdomain.cz] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x1000): [1] groups for [simecek.to...@sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [ simecek.to...@sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_get_selinux_send] (0x2000): Connection status is [online]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaMigrationEnabled] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUserMapDefault] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUserMapOrder] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 29 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaMigrationEnabled] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSELinuxUserMapDefault] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSELinuxUserMapOrder] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with following parameters: [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [seeAlso] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUser] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaEnabledFlag] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 30 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f0d0b0], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f0d0b0], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x2000): Total count [0] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! Tomas Simecek 2016-07-13 11:50 GMT+02:00 Jakub Hrozek <jhro...@redhat.com>: > On Wed, Jul 13, 2016 at 11:18:21AM +0200, Tomas Simecek wrote: > > Dear freeIPA gurus, > > in previous thread ( > > https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) > you > > helped me make sudo working for AD users on Centos 7.0 ( > > spcss-2t-www.linuxdomain.cz). > > It was caused by not knowing sudo needs to be enabled in HBAC rules. > > Now it works properly on Centos 7.0 client. > > But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the > > same sssd.conf setup. > > Error message is always: > > > > [simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf > > [sudo] password for simecek.to...@sd-stc.cz: > > simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test. This > > incident will be reported. > > > > Here are my HBAC rules, the second one should apply. It definitely > applies > > for Centos 7.0 server: > > [root@svlxxipap ~]# ipa hbacrule-find > > -------------------- > > 2 HBAC rules matched > > -------------------- > > Rule name: allow_all > > User category: all > > Host category: all > > Service category: all > > Description: Allow all users to access any host from any host > > Enabled: FALSE > > > > Rule name: Unixari na test servery > > Enabled: TRUE > > User Groups: grpunixadmins > > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz > > Services: login, sshd, sudo, sudo-i, su, su-l > > ---------------------------- > > Number of entries returned 2 > > ---------------------------- > > > > This is my /etc/sssd/sssd.conf. It the same like on Centos 7.0 server, > just > > with proper server name of course: > > > > [root@zp-cml-test sssd]# cat /etc/sssd/sssd.conf > > [domain/linuxdomain.cz] > > cache_credentials = True > > krb5_store_password_if_offline = True > > ipa_domain = linuxdomain.cz > > id_provider = ipa > > krb5_realm = LINUXDOMAIN.CZ > > auth_provider = ipa > > access_provider = ipa > > ipa_hostname = zp-cml-test.linuxdomain.cz > > chpass_provider = ipa > > ipa_server = svlxxipap.linuxdomain.cz > > ldap_tls_cacert = /etc/ipa/ca.crt > > override_shell = /bin/bash > > sudo_provider = ldap > > ldap_uri = ldap://svlxxipap.linuxdomain.cz > > ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz > > ldap_sasl_mech = GSSAPI > > #ldap_sasl_authid = host/zp-cml-test.linuxdomain...@linuxdomain.cz > > ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz > > ldap_sasl_realm = LINUXDOMAIN.CZ > > krb5_server = svlxxipap.linuxdomain.cz > > > > [sssd] > > services = nss, sudo, pam, ssh > > config_file_version = 2 > > debug_level = 0x3ff0 > > domains = linuxdomain.cz > > [nss] > > homedir_substring = /home > > > > [pam] > > [sudo] > > debug_level = 0x3ff0 > > [autofs] > > [ssh] > > [pac] > > [ifp] > > > > This is output from sssd_sudo.log: > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): > > Client connected! > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > > Received client version [1]. > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > > Offered version [1]. > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > > protocol version [1] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain ' > > sd-stc.cz', user is simecek.tomas > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain ' > > sd-stc.cz', user is simecek.tomas > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > > (0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz > ] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > > Requesting info about [simecek.to...@sd-stc.cz] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > > Returning info for user [simecek.to...@sd-stc.cz] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > > Retrieving default options for [simecek.to...@sd-stc.cz] from [sd-stc.cz > ] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > > (0x0400): No such entry > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > > (0x0200): Searching sysdb with > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > > simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain > > us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz)(sudoUser=% > > mfcr_...@sd-stc.cz)(sudoUser=%acco...@sd-stc.cz)(sudoUser=% > w...@sd-stc.cz > > > )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About > > to get sudo rules from cache > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(name=defaults)))] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_get_sudorules_from_cache] > > (0x0400): Returning 0 rules for [<default options>@sd-stc.cz] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > > protocol version [1] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain ' > > sd-stc.cz', user is simecek.tomas > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain ' > > sd-stc.cz', user is simecek.tomas > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > > (0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > > Requesting info about [simecek.to...@sd-stc.cz] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > > Returning info for user [simecek.to...@sd-stc.cz] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > > Retrieving rules for [simecek.to...@sd-stc.cz] from [sd-stc.cz] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > > (0x0400): No such entry > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > > (0x0200): Searching sysdb with > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > > simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain > > us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz)(sudoUser=% > > mfcr_...@sd-stc.cz)(sudoUser=%acco...@sd-stc.cz)(sudoUser=% > w...@sd-stc.cz > > > )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About > > to get sudo rules from cache > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > > (0x0400): No such entry > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > > (0x0200): Searching sysdb with > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser= > simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain > > us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz)(sudoUser=% > > mfcr_...@sd-stc.cz)(sudoUser=%acco...@sd-stc.cz)(sudoUser=% > w...@sd-stc.cz > > )(sudoUser=%grpunixadmins)(sudoUser=+*)))] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_get_sudorules_from_cache] > > (0x0400): Returning 0 rules for [simecek.to...@sd-stc.cz] > > (Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_recv] (0x0200): Client > > disconnected! > > (Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_destructor] (0x2000): > > Terminated client [0x1330300][18] > > When you look into the domain logs, do they show some rules being > fetched? > > You can also install ldbsearch and then check what rules got stored in > the cache: > ldbsearch -H /var/lib/sss/db/cache_$domain.ldb > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project