On (27/03/15 14:56), Benoit Rousselle wrote: >hi, > >I setup a sudo config in client ipa and set rule in ipa server. >sudo rules from ipa are not found : it return 0 rules for the user > >This config is ambiguous. Is there a method to check if everything is OK ? >The best way for this moment is to set debug_level on sssd. But I'm not >sure that the problem come from there. > > >(Fri Mar 27 14:12:36 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event >0x1cba830 "ltdb_callback" > >(Fri Mar 27 14:12:36 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=my_user)(sudoUser=#1600001)(sudoUser=%utilisateur_a)(sudoUser=%adupont)(sudoUser=+*)))] >(Fri Mar 27 14:12:36 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event >"ltdb_callback": 0x1cb9000 > >(Fri Mar 27 14:12:36 2015) [sssd[sudo]] [ldb] (0x4000): Added timed event >"ltdb_timeout": 0x1cb9240 > >(Fri Mar 27 14:12:36 2015) [sssd[sudo]] [ldb] (0x4000): Destroying timer >event 0x1cb9240 "ltdb_timeout" > >(Fri Mar 27 14:12:36 2015) [sssd[sudo]] [ldb] (0x4000): Ending timer event >0x1cb9000 "ltdb_callback" > >(Fri Mar 27 14:12:36 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] >(0x0400): Returning 0 rules for [my_user@my_domain.com] >(Fri Mar 27 14:12:36 2015) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle >timer re-set for client [0x1cb30e0][18] > > >My client config : >[domain/my_domain.com] >debug_level = 6 >cache_credentials = True >krb5_store_password_if_offline = True >krb5_realm = MY_IDMDOMAIN.COM >ipa_domain = my_domain.com >id_provider = ipa >auth_provider = ipa >access_provider = ipa >ipa_hostname = myserver.my_domain.com >chpass_provider = ipa >ipa_server = _srv_, idm.my_domain.com >ldap_tls_cacert = /etc/ipa/ca.crt >[sssd] >services = nss, pam, ssh, sudo >config_file_version = 2 > >domains = addcnet.com >[nss] > >[pam] > >[sudo] >debug_level = 9 > >[autofs] > >[ssh] > >[pac] > >---- >server redhat : LINUX 6.4
rhel 6.4 has old version of sssd which does not have native ipa sudo provider. You will need to configure sudo with sudo_provider = ldap. Please follow instructions in manual page "sssd-sudo" LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project