On Fri, Jun 27, 2014 at 12:24:44PM +0000, Teemu Keinonen wrote: > Hello, > > I’m configuring CentOS 6.5 server to authenticate users and sudo rights > against local Samba 4.1.8 (compiled from source). Sssd is 1.9.2 from package > repository. User authentication works OK, I can log in with user that exists > only in Samba but sudoing with the same user fails. After hours of trying I > still can’t get it right, sssd_sudo receives 0 rules from samba. Doing > ldapsearch with criteria from logs do return sudoer entries as below. Am I > missing something obvious? > Below are (in order) ldapsearch, ssssd.conf and sssd_default.log (part which > I think relevant).
> > [root@dc1 sssd]# ldapsearch -h dc1 -Y GSSAPI -b OU=SUDOers,DC=teemu,DC=local > '(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=Host01)(sudoHost=Host01.example.com)(sudoHost=192.168.0.21)(sudoHost=192.168.0.0/24)(sudoHost=fe80::786b:f4ff:fe87:3314)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))' > SASL/GSSAPI authentication started > SASL username: [email protected] I wonder if this ^^ could be the issue. SSSD authenticates as the host itself, you seem to have authenticated as the administrator. Maybe there are some ACIs on the server preventing SSSD from accessing the rules? Can you try: kdestroy kinit -k -t /etc/krb5.sssd.keytab [email protected] before the ldapsearch? btw your config file contains both GSSAPI configuration and a bind user, I suppose you can remove the latter? _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
