On (14/07/16 13:52), Tomas Simecek wrote: >Hi Lukas, >sorry to say, but nothing helps. > >I have just updated IPA server, so that now it is: >[root@svlxxipap ~]# cat /etc/redhat-release >CentOS Linux release 7.2.1511 (Core) > >with: >[root@svlxxipap ~]# rpm -qa|grep ipa >ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.17.x86_64 >libipa_hbac-1.13.0-40.el7_2.9.x86_64 >ipa-python-4.2.0-15.0.1.el7.centos.17.x86_64 >ipa-server-dns-4.2.0-15.0.1.el7.centos.17.x86_64 >python-iniparse-0.4-9.el7.noarch >ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64 >sssd-ipa-1.13.0-40.el7_2.9.x86_64 >ipa-admintools-4.2.0-15.0.1.el7.centos.17.x86_64 >python-libipa_hbac-1.13.0-40.el7_2.9.x86_64 >ipa-client-4.2.0-15.0.1.el7.centos.17.x86_64 > It has to work with IPA on CentOS 7.2 and sssd-1.13.3-22.el6_8.4 on client.
>I have also changed sudoers to sudo in sssd.conf as you suggested and >restarted sssd. >No difference, still: >[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo service sshd restart >[sudo] password for simecek.to...@sd-stc.cz: >simecek.to...@sd-stc.cz is not in the sudoers file. This incident will be >reported. > >I guess I will pilot some more IPA clients to make sure it works reliably >and if yes, I guess we will be able to live with the fact that older >Linuxes doe not offer sudo to AD clients. > I assume you meant AD users from trust. But previously, you provided data and user was member of group which should be alowed to use sudo rules. I would like to find out why sudo rules were not fetched from IPA. I would like to see full log file + dump of sssd cache. Please: * clean cache and log files on *IPA server* rm -f /var/lib/sss/db/* /var/log/sssd/* * enable debug_level=9 in domain section and sudo * restart sssd on *IPA server* * clean cache and log files on *IPA client* rm -f /var/lib/sss/db/* /var/log/sssd/* * enable debug_level=9 in domain section and sudo * restart sssd *IPA client* * authernticate with user simecek.to...@sd-stc.cz * call id simecek.to...@sd-stc.cz * try sudo. * send all sssd log files + sssd.conf * provide dump of sssd cache ldbsearch -H /var/lib/sss/db/cache_$domain.ldb (utility ldbsearch is part of package ldb-tools Please provide log files, sssd.conf and dump of sssd cache from client and also from IPA server. Thank you very much for patience. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project