On Wed, Sep 23, 2015 at 12:48:47PM +0330, alireza baghery wrote: > hi > i have centos 6.7 (ipa server) > and i have centos 6.5 (client)
I would advise to upgrade, 6.5 is old. I'm not sure if 6.5 already supported sudo_provider=ipa, but I'm pretty sure 6.6 did. That would simplify the configuration a lot. > i can not sudo on client > i add rule sudo on ipa > i config file sss.conf Are there any rules in the cache (ldbsearch -H /var/lib/sss/db/cache_l.infotechpsp.net) at all? If not, then I guess the rules don't match the host, because your domain log snippet indicates sssd couldn't fetch the rules.. > +++++++ > > [domain/l.infotechpsp.net] > debug_level = 6 > #cache_credentials = True > #krb5_store_password_if_offline = True > ipa_domain = l.infotechpsp.net > id_provider = ipa > #auth_provider = ipa > #access_provider = ipa > #ipa_hostname = switchlive.l.infotechpsp.net > #chpass_provider = ipa > ipa_server = _srv_, ipasrv.l.infotechpsp.net > ldap_tls_cacert = /etc/ipa/ca.crt > sudo_provider = ldap > ldap_uri =ldap://ipasrv.l.infotechpsp.net > ldap_sudo_search_base = ou=sudoers,dc=l,dc=infotechpsp,dc=net > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/ussd7rep.l.infotechpsp.net > ldap_sasl_realm = L.INFOTECHPSP.NET > krb5_server = ipasrv.l.infotechpsp.net > [sssd] > config_file_version = 2 > > # Number of times services should attempt to reconnect in the > # event of a crash or restart before they give up > reconnection_retries = 3 > > # If a back end is particularly slow you can raise this timeout here > sbus_timeout = 30 > services = nss, pam, ssh, sudo > > domains = l.infotechpsp.net > [nss] > > > [pam] > +++++++ > in file nsswitch.conf > add sudoers: files sss > > and log file /var/log/sss/sss_l..... > +++++ > > (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] > [be_resolve_server_process] (0x0200): Found address for server > ipasrv.l.infotechpsp.net: [10.30.160.19] TTL 1200 > (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] > [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child > (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] > [write_pipe_handler] (0x0400): All data has been sent! > (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] > [read_pipe_handler] (0x0400): EOF received, client finished > (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ > ccache_L.INFOTECHPSP.NET], expired on [1443085132] > (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_cli_auth_step] (0x0100): expire timeout is 900 > (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] [sasl_bind_send] > (0x0100): Executing sasl bind mech: GSSAPI, user: host/ > ussd7rep.l.infotechpsp.net > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [child_sig_handler] (0x0100): child [12755] finished successfully. > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [fo_set_port_status] (0x0100): Marking port 389 of server ' > ipasrv.l.infotechpsp.net' as 'working' > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [set_server_common_status] (0x0100): Marking server ' > ipasrv.l.infotechpsp.net' as 'working' > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with > base [ou=sudoers,dc=l,dc=infotechpsp,dc=net] > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(&(objectclass=sudoRole)(entryUSN>=128274)(!(entryUSN=128274)))(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost= > ussd7rep.l.infotechpsp.net > )(sudoHost=ussd7rep)(sudoHost=10.30.110.11)(sudoHost= > 10.30.110.0/24)(sudoHost=fe80::250:56ff:feaf:3ca6)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))][ou=sudoers,dc=l,dc=infotechpsp,dc=net > ]. > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base > [ou=sudoers,dc=l,dc=infotechpsp,dc=net] > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_sudo_load_sudoers_done] (0x0400): Received 0 rules > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_sudo_load_sudoers_done] (0x0400): Sudoers is successfuly stored in > cache > (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] > [sdap_sudo_smart_refresh_done] (0x0400): Successful smart refresh of sudo > rules > +++++ > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project