<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 04/24/2013 12:38 PM, Aly Khimji wrote:
<blockquote
cite="mid:CAJMZt_ZBmwYCOjBoen69+ssS8MnpziqJ5hhO=ebftBMq+m9yYg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="">Hey All,</div>
<div style=""><br>
</div>
<div style="">Hoping you can help out I have provided all
details below. I have broken up diagnostics into sudo-ldap for
AD/IPA users and sudo-sss for for AD/IPA users. </div>
<div style="">Quick background. Have a 2003 Domain, with an IPA
Trust Established and working. AD users and well as local IPA
users are able to login into clients, HBAC with both type of
users work as expected. Problem is with SUDO. sudo uid has
been configured, and I have followed the RedHat IDM Setup
docs for v3. AD users have been nested as required</div>
<div style=""><br>
</div>
<div style="">AD users -> AD Grp -> IPA Ext Grp -> IPA
Posix Grp -->HBAC/SUDO applied to this group</div>
<div style="">IPA User -> Same HBAC/SUDO as above<br>
</div>
<div style=""><br>
</div>
<div style="">
When using sudo-ldap on the client side neither local IPA
users or AD users are able to use sudo(see below), when using
sudo through sssd only the local IPA user is able to fetch the
correct sudo rules. </div>
<div style=""><br>
</div>
<div style="">atest = local IPA user</div>
<div style="">btest = AD trust user</div>
<div style=""><br>
</div>
<div style=""> </div>
<div style="">All platforms are RHEL6.4 fully updated 64bit</div>
<div style=""><br>
</div>
<div style="">Server Pkgs</div>
<div style="">
<div>libipa_hbac-python-1.9.2-82.4.el6_4.x86_64</div>
<div>ipa-python-3.0.0-26.el6_4.2.x86_64</div>
<div>ipa-client-3.0.0-26.el6_4.2.x86_64</div>
<div>ipa-server-3.0.0-26.el6_4.2.x86_64</div>
<div>ipa-pki-ca-theme-9.0.3-7.el6.noarch</div>
<div>ipa-server-trust-ad-3.0.0-26.el6_4.2.x86_64</div>
<div>libipa_hbac-1.9.2-82.4.el6_4.x86_64</div>
<div>ipa-admintools-3.0.0-26.el6_4.2.x86_64</div>
<div>ipa-server-selinux-3.0.0-26.el6_4.2.x86_64</div>
<div>ipa-pki-common-theme-9.0.3-7.el6.noarch</div>
<div><br>
</div>
<div>libsss_idmap-1.9.2-82.4.el6_4.x86_64<br>
</div>
</div>
<div style="">
<div>sssd-1.9.2-82.4.el6_4.x86_64</div>
<div>libsss_autofs-1.9.2-82.4.el6_4.x86_64</div>
<div>sssd-client-1.9.2-82.4.el6_4.x86_64</div>
<div>
<br>
</div>
</div>
<div style="">sudo-1.8.6p3-7.el6.x86_64<br>
</div>
<div style=""><br>
</div>
<div style="">Client Pkgs</div>
<div style="">
<div>ipa-python-3.0.0-25.el6.x86_64</div>
<div>python-iniparse-0.3.1-2.1.el6.noarch</div>
<div>libipa_hbac-python-1.9.2-82.el6.x86_64</div>
<div>ipa-client-3.0.0-25.el6.x86_64</div>
<div>libipa_hbac-1.9.2-82.el6.x86_64</div>
<div><br>
</div>
<div>
<div>sssd-1.9.2-82.el6.x86_64</div>
<div>libsss_sudo-1.9.2-82.el6.x86_64</div>
<div>sssd-client-1.9.2-82.el6.x86_64</div>
<div>libsss_autofs-1.9.2-82.el6.x86_64</div>
<div>libsss_idmap-1.9.2-82.el6.x86_64</div>
</div>
<div><br>
</div>
<div>sudo-1.8.6p3-7.el6.x86_6<br>
</div>
</div>
<div style=""><br>
</div>
<div style=""><br>
</div>
<div style="">Diag when using SUDO-> SSS</div>
<div style=""><br>
</div>
<div>
<div>LOCAL IDM USER </div>
<div>-sh-4.1$ sudo -l<br>
</div>
<div>Matching Defaults entries for atest on this host:</div>
<div> requiretty, !visiblepw, always_set_home, env_reset,
env_keep="COLORS</div>
<div> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
env_keep+="MAIL PS1</div>
<div> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE</div>
<div> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY</div>
<div> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL</div>
<div> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",</div>
<div> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin</div>
<div><br>
</div>
<div>User atest may run the following commands on this host:</div>
<div> (root : wheel) /usr/bin/less</div>
<div>-sh-4.1$</div>
<div><br>
</div>
<div><br>
</div>
<div>AD TRUST USER</div>
<div>-sh-4.1$ sudo -l</div>
<div>[sudo] password for <a moz-do-not-send="true"
href="mailto:btest@corpnonprd.xxxx.com">btest@corpnonprd.xxxx.com</a>:</div>
<div>User <a moz-do-not-send="true"
href="mailto:btest@corpnonprd.xxxx.com">btest@corpnonprd.xxxx.com</a>
is not allowed to run sudo on rhidmclient.</div>
<div>-sh-4.1$</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>[root@rhidmclient ~]# cat /etc/nsswitch.conf</div>
<div>....</div>
<div>sudoers: files sss</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>/etc/sssd/sssd.conf (CLIENT)<br>
</div>
<div><br>
</div>
<div>[domain/<a moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]<br>
</div>
<div>
<div>debug_level = 5</div>
<div><br>
</div>
<div>cache_credentials = True</div>
<div>krb5_store_password_if_offline = True</div>
<div>ipa_domain = <a moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a></div>
<div>id_provider = ipa</div>
<div>auth_provider = ipa</div>
<div>access_provider = ipa</div>
<div>ipa_hostname = <a moz-do-not-send="true"
href="http://rhidmclient.nix.corpnonprd.xxxx.com">rhidmclient.nix.corpnonprd.xxxx.com</a></div>
<div>chpass_provider = ipa</div>
<div>ipa_server = _srv_, <a moz-do-not-send="true"
href="http://didmsvrua01.nix.corpnonprd.xxxx.com">didmsvrua01.nix.corpnonprd.xxxx.com</a></div>
<div>ldap_tls_cacert = /etc/ipa/ca.crt</div>
<div><br>
</div>
<div>sudo_provider = ldap</div>
<div>ldap_uri = <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a moz-do-not-send="true"
href="http://didmsvrua01.nix.corpnonprd.xxxx.com">didmsvrua01.nix.corpnonprd.xxxx.com</a></div>
<div>ldap_sudo_search_base =
ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com</div>
<div>ldap_sasl_mech = GSSAPI</div>
<div>ldap_sasl_authid = host/<a moz-do-not-send="true"
href="http://rhidmclient.nix.corpnonprd.xxxx.com">rhidmclient.nix.corpnonprd.xxxx.com</a></div>
<div>ldap_sasl_realm = <a moz-do-not-send="true"
href="http://NIX.CORPNONPRD.XXXX.COM">NIX.CORPNONPRD.XXXX.COM</a></div>
<div>krb5_server = <a moz-do-not-send="true"
href="http://didmsvrua01.nix.corpnonprd.XXXX.com">didmsvrua01.nix.corpnonprd.XXXX.com</a></div>
<div><br>
</div>
<div>subdomains_provider = ipa</div>
<div><br>
</div>
<div>[sssd]</div>
<div>config_file_version = 2</div>
<div>reconnection_retries = 3<br>
</div>
<div>sbus_timeout = 30<br>
</div>
<div>services = nss, pam, ssh, sudo, pac</div>
</div>
<div style=""><br>
</div>
<div style="">[sudo]</div>
<div><br>
</div>
<div><br>
</div>
<div style=""><br>
</div>
<div style="">/etc/krb5.conf (CLIENT)</div>
<div style="">includedir /var/lib/sss/pubconf/krb5.include.d/<br>
</div>
<div style="">
<div>
<br>
</div>
<div>[libdefaults]</div>
<div> default_realm = <a moz-do-not-send="true"
href="http://NIX.CORPNONPRD.xxxx.COM">NIX.CORPNONPRD.xxxx.COM</a></div>
<div> dns_lookup_realm = true</div>
<div> dns_lookup_kdc = true</div>
<div> rdns = false</div>
<div> ticket_lifetime = 24h</div>
<div> forwardable = yes</div>
<div><br>
</div>
<div>[realms]</div>
<div> <a moz-do-not-send="true"
href="http://NIX.CORPNONPRD.xxxx.COM">NIX.CORPNONPRD.xxxx.COM</a>
= {</div>
<div> pkinit_anchors = <a class="moz-txt-link-freetext" href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a></div>
<div> auth_to_local = RULE:[1:$1@$0](^.*@<a
moz-do-not-send="true" href="http://CORPNONPRD.xxxx.COM">CORPNONPRD.xxxx.COM</a>$)s/@<a
moz-do-not-send="true"
href="http://CORPNONPRD.xxxx.COM/@corpnonprd.xxxx.com/">CORPNONPRD.xxxx.COM/@corpnonprd.xxxx.com/</a></div>
<div>
auth_to_local = DEFAULT</div>
<div> }</div>
<div><br>
</div>
<div>[domain_realm]</div>
<div> .<a moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>
= <a moz-do-not-send="true"
href="http://NIX.CORPNONPRD.xxxx.COM">NIX.CORPNONPRD.xxxx.COM</a></div>
<div> <a moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>
= <a moz-do-not-send="true"
href="http://NIX.CORPNONPRD.xxxx.COM">NIX.CORPNONPRD.xxxx.COM</a></div>
</div>
<div style=""><br>
</div>
<div style=""><br>
</div>
<div style="">/var/log/sssd output (CLIENT) when triggering
$>sudo -l<br>
</div>
<div style=""><br>
</div>
<div style="">
<div>LOCAL IDM USER</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_get_account_info] (0x0100): Got request for
[3][1][name=atest]</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[sdap_initgr_nested_search] (0x0040): Search for group
cn=ipausers,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com,
returned 0 results. Skipping</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[sdap_initgr_nested_search] (0x0040): Search for group
ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com,
returned 0 results. Skipping</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[sdap_initgr_nested_search] (0x0040): Search for group
ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com,
returned 0 results. Skipping</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[acctinfo_callback] (0x0100): Request processed. Returned
0,0,Success</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_pam_handler] (0x0100): Got request with the following
data</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): command: PAM_AUTHENTICATE</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): domain: <a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a></div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): user: atest</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): service: sudo</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): tty: /dev/pts/3</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): ruser: atest</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): rhost:</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): authtok type: 1</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): authtok size: 11</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): newauthtok type: 0</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): newauthtok size: 0</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): priv: 0</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): cli_pid: 5382</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[check_for_valid_tgt] (0x0080): TGT is valid.</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[fo_resolve_service_send] (0x0100): Trying to resolve
service 'IPA'</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[resolve_srv_send] (0x0200): The status of SRV lookup is
resolved</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_resolve_server_process] (0x0200): Found address for
server <a moz-do-not-send="true"
href="http://didmsvrua01.nix.corpnonprd.xxxx.com">didmsvrua01.nix.corpnonprd.xxxx.com</a>:
[10.137.216.162] TTL 1200</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[krb5_find_ccache_step] (0x0080): Saved ccache
<a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_818800005_KVeSdP">FILE:/tmp/krb5cc_818800005_KVeSdP</a> if of different type than
ccache in configuration file, reusing the old ccache</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[fo_set_port_status] (0x0100): Marking port 389 of server '<a
moz-do-not-send="true"
href="http://didmsvrua01.nix.corpnonprd.xxxx.com">didmsvrua01.nix.corpnonprd.xxxx.com</a>'
as 'working'</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[set_server_common_status] (0x0100): Marking server '<a
moz-do-not-send="true"
href="http://didmsvrua01.nix.corpnonprd.xxxx.com">didmsvrua01.nix.corpnonprd.xxxx.com</a>'
as 'working'</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0,
<NULL>) [Success]</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_pam_handler_callback] (0x0100): Sending result [0][<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_pam_handler_callback] (0x0100): Sent result [0][<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[child_sig_handler] (0x0100): child [5383] finished
successfully.</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_pam_handler] (0x0100): Got request with the following
data</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): command: PAM_ACCT_MGMT</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): domain: <a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a></div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): user: atest</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): service: sudo</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): tty: /dev/pts/3</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): ruser: atest</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): rhost:</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): authtok type: 0</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): authtok size: 0</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): newauthtok type: 0</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): newauthtok size: 0</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): priv: 0</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): cli_pid: 5382</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[ipa_hostgroup_info_done] (0x0200): No host groups were
dereferenced</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC
rule [test_HBAC]</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0,
<NULL>) [Success]</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0,
Success) [Success]</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_pam_handler_callback] (0x0100): Sending result [0][<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]</div>
<div>(Wed Apr 24 10:56:30 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_pam_handler_callback] (0x0100): Sent result [0][<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>AD TRUST USER</div>
<div>(Wed Apr 24 10:57:15 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_get_account_info] (0x0100): Got request for
[3][1][name=btest]</div>
<div>(Wed Apr 24 10:57:15 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[acctinfo_callback] (0x0100): Request processed. Returned
3,95,User lookup failed</div>
<div>(Wed Apr 24 10:57:15 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_get_account_info] (0x0100): Got request for
[3][1][name=btest]</div>
<div>(Wed Apr 24 10:57:15 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[acctinfo_callback] (0x0100): Request processed. Returned
3,95,User lookup failed</div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_get_account_info] (0x0100): Got request for
[3][1][name=btest]</div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[acctinfo_callback] (0x0100): Request processed. Returned
3,95,User lookup failed</div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_pam_handler] (0x0100): Got request with the following
data</div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): command: PAM_AUTHENTICATE</div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): domain: <a
moz-do-not-send="true" href="http://CorpNonPrd.xxxx.com">CorpNonPrd.xxxx.com</a></div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): user: <a moz-do-not-send="true"
href="mailto:btest@CorpNonPrd.xxxx.com">btest@CorpNonPrd.xxxx.com</a></div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): service: sudo</div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): tty: /dev/pts/3</div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): ruser: <a moz-do-not-send="true"
href="mailto:btest@corpnonprd.xxxx.com">btest@corpnonprd.xxxx.com</a></div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): rhost:</div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): authtok type: 1</div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): authtok size: 11</div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): newauthtok type: 0</div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): newauthtok size: 0</div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): priv: 0</div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): cli_pid: 5412</div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[check_for_valid_tgt] (0x0020): krb5_cc_retrieve_cred
failed.</div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[fo_resolve_service_send] (0x0100): Trying to resolve
service 'IPA'</div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[resolve_srv_send] (0x0200): The status of SRV lookup is
resolved</div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_resolve_server_process] (0x0200): Found address for
server <a moz-do-not-send="true"
href="http://didmsvrua01.nix.corpnonprd.xxxx.com">didmsvrua01.nix.corpnonprd.xxxx.com</a>:
[10.137.216.162] TTL 1200</div>
<div>(Wed Apr 24 10:57:18 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[krb5_find_ccache_step] (0x0080): Saved ccache
<a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_59401108_CfhZS2">FILE:/tmp/krb5cc_59401108_CfhZS2</a> if of different type than
ccache in configuration file, reusing the old ccache</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[fo_set_port_status] (0x0100): Marking port 389 of server '<a
moz-do-not-send="true"
href="http://didmsvrua01.nix.corpnonprd.xxxx.com">didmsvrua01.nix.corpnonprd.xxxx.com</a>'
as 'working'</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[set_server_common_status] (0x0100): Marking server '<a
moz-do-not-send="true"
href="http://didmsvrua01.nix.corpnonprd.xxxx.com">didmsvrua01.nix.corpnonprd.xxxx.com</a>'
as 'working'</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0,
<NULL>) [Success]</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_pam_handler_callback] (0x0100): Sending result [0][<a
moz-do-not-send="true" href="http://CorpNonPrd.xxxx.com">CorpNonPrd.xxxx.com</a>]</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_pam_handler_callback] (0x0100): Sent result [0][<a
moz-do-not-send="true" href="http://CorpNonPrd.xxxx.com">CorpNonPrd.xxxx.com</a>]</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[child_sig_handler] (0x0100): child [5414] finished
successfully.</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_get_account_info] (0x0100): Got request for
[3][1][name=btest]</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[acctinfo_callback] (0x0100): Request processed. Returned
3,95,User lookup failed</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_pam_handler] (0x0100): Got request with the following
data</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): command: PAM_ACCT_MGMT</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): domain: <a
moz-do-not-send="true" href="http://CorpNonPrd.xxxx.com">CorpNonPrd.xxxx.com</a></div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): user: <a moz-do-not-send="true"
href="mailto:btest@CorpNonPrd.xxxx.com">btest@CorpNonPrd.xxxx.com</a></div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): service: sudo</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): tty: /dev/pts/3</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): ruser: <a moz-do-not-send="true"
href="mailto:btest@corpnonprd.xxxx.com">btest@corpnonprd.xxxx.com</a></div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): rhost:</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): authtok type: 0</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): authtok size: 0</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): newauthtok type: 0</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): newauthtok size: 0</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): priv: 0</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[pam_print_data] (0x0100): cli_pid: 5412</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[ipa_hostgroup_info_done] (0x0200): No host groups were
dereferenced</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC
rule [test_HBAC]</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0,
<NULL>) [Success]</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[sss_selinux_extract_user] (0x0040):
sysdb_search_user_by_name failed.</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[ipa_selinux_handler] (0x0040): Cannot create op context</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_pam_handler_callback] (0x0100): Backend returned: (3, 4,
<NULL>) [Internal Error (System error)]</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_pam_handler_callback] (0x0100): Sending result [0][<a
moz-do-not-send="true" href="http://CorpNonPrd.xxxx.com">CorpNonPrd.xxxx.com</a>]</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_pam_handler_callback] (0x0100): Sent result [0][<a
moz-do-not-send="true" href="http://CorpNonPrd.xxxx.com">CorpNonPrd.xxxx.com</a>]</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_get_account_info] (0x0100): Got request for
[3][1][name=btest]</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[acctinfo_callback] (0x0100): Request processed. Returned
3,95,User lookup failed</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[be_get_account_info] (0x0100): Got request for
[3][1][name=btest]</div>
<div>(Wed Apr 24 10:57:19 2013) [sssd[be[<a
moz-do-not-send="true"
href="http://nix.corpnonprd.xxxx.com">nix.corpnonprd.xxxx.com</a>]]]
[acctinfo_callback] (0x0100): Request processed. Returned
3,95,User lookup failed</div>
<div><br>
</div>
</div>
<div style="">* I did note the [Internal Error (System error)]
& the 3,95,User lookup failed, but I don't know specifics
of these calls</div>
<div style=""><br>
</div>
<div style=""><br>
</div>
<div style=""><br>
</div>
<div style="">USING SUDO-LDAP</div>
<div><br>
</div>
<div style="">
<div>[root@rhidmclient ~]# cat /etc/nsswitch.conf</div>
<div>....</div>
<div>sudoers: files ldap<br>
</div>
<div><br>
</div>
<div>[root@rhidmclient ~]# cat /etc/sudo-ldap.conf<br>
</div>
<div>....</div>
<div>
<div>bindn
uid=sudo,cn=sysaccounts,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com</div>
<div>bindpw xxxx</div>
<div>ssl start_tls</div>
<div>uri <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a moz-do-not-send="true"
href="http://didmsvrua01.nix.corpnonprd.xxxx.com">didmsvrua01.nix.corpnonprd.xxxx.com</a></div>
<div>sudoers_base
ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com</div>
<div>sudoers_debug 1</div>
<div>tls_cacertfile /etc/ipa/ca.crt</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div>LOCAL IDM USER</div>
<div>
-sh-4.1$ sudo -l</div>
<div>sudo: ldap_set_option: debug -> 0</div>
<div>sudo: ldap_set_option: ldap_version -> 3</div>
<div>sudo: ldap_sasl_bind_s() ok</div>
<div>sudo: Looking for cn=defaults: cn=defaults</div>
<div>sudo: no default options found in
ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com</div>
<div>sudo: ldap search
'(|(sudoUser=atest)(sudoUser=%atest)(sudoUser=%#818800005)(sudoUser=ALL))'</div>
<div>sudo: searching from base
'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com'</div>
<div>sudo: adding search result</div>
<div>sudo: result now has 0 entries</div>
<div>sudo: ldap search '(sudoUser=+*)'</div>
<div>sudo: searching from base
'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com'</div>
<div>sudo: adding search result</div>
<div>sudo: result now has 0 entries</div>
<div>sudo: sorting remaining 0 entries</div>
<div>sudo: perform search for pwflag 52</div>
<div>sudo: done with LDAP searches</div>
<div>sudo: user_matches=1</div>
<div>sudo: host_matches=0</div>
<div>sudo: sudo_ldap_lookup(52)=0x82</div>
<div>[sudo] password for atest:</div>
<div>Your password will expire in 89 day(s).</div>
<div>sudo: ldap search for command list</div>
<div>sudo: reusing previous result (user atest) with 0 entries</div>
<div>User atest is not allowed to run sudo on rhidmclient.</div>
<div>sudo: removing reusable search result</div>
<div>-sh-4.1$</div>
<div><br>
</div>
<div><br>
</div>
<div>AD TRUST USER</div>
<div>-sh-4.1$ sudo -l</div>
<div>sudo: ldap_set_option: debug -> 0</div>
<div>sudo: ldap_set_option: ldap_version -> 3</div>
<div>sudo: ldap_sasl_bind_s() ok</div>
<div>sudo: Looking for cn=defaults: cn=defaults</div>
<div>sudo: no default options found in
ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com</div>
<div>sudo: ldap search '(|(sudoUser=<a moz-do-not-send="true"
href="mailto:btest@corpnonprd.xxxx.com">btest@corpnonprd.xxxx.com</a>)(sudoUser=%<a
moz-do-not-send="true"
href="mailto:btest@corpnonprd.xxxx.com">btest@corpnonprd.xxxx.com</a>)(sudoUser=%#59401108)(sudoUser=%domain
<a moz-do-not-send="true"
href="mailto:admins@corpnonprd.xxxx.com">admins@corpnonprd.xxxx.com</a>)(sudoUser=%domain
<a moz-do-not-send="true"
href="mailto:users@corpnonprd.xxxx.com">users@corpnonprd.xxxx.com</a>)(sudoUser=%<a
moz-do-not-send="true"
href="mailto:seca@corpnonprd.xxxx.com">seca@corpnonprd.xxxx.com</a>)(sudoUser=%ad_admins)(sudoUser=%#59400512)(sudoUser=%#59400513)(sudoUser=%#59401113)(sudoUser=%#818800006)(sudoUser=ALL))'</div>
<div>sudo: searching from base
'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com'</div>
<div>sudo: adding search result</div>
<div>sudo: result now has 0 entries</div>
<div>sudo: ldap search '(sudoUser=+*)'</div>
<div>sudo: searching from base
'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com'</div>
<div>sudo: adding search result</div>
<div>sudo: result now has 0 entries</div>
<div>sudo: sorting remaining 0 entries</div>
<div>sudo: perform search for pwflag 52</div>
<div>sudo: done with LDAP searches</div>
<div>sudo: user_matches=1</div>
<div>sudo: host_matches=0</div>
<div>sudo: sudo_ldap_lookup(52)=0x82</div>
<div>[sudo] password for <a moz-do-not-send="true"
href="mailto:btest@corpnonprd.xxxx.com">btest@corpnonprd.xxxx.com</a>:</div>
<div>Your password will expire in 8908 day(s).</div>
<div>sudo: ldap search for command list</div>
<div>sudo: reusing previous result (user <a
moz-do-not-send="true"
href="mailto:btest@corpnonprd.xxxx.com">btest@corpnonprd.xxxx.com</a>)
with 0 entries</div>
<div>User <a moz-do-not-send="true"
href="mailto:btest@corpnonprd.xxxx.com">btest@corpnonprd.xxxx.com</a>
is not allowed to run sudo on rhidmclient.</div>
<div>sudo: removing reusable search result</div>
<div>-sh-4.1$</div>
<div><br>
</div>
<div style="">
hope you guys can provide some support</div>
<div style=""><br>
</div>
</div>
</blockquote>
<br>
I am not sure that sudo-ldap would work for the trust case at all.
The resolution of user to sudo rule via his AD group membership to
ipa groups is tricky and done by SSSD. sudo natively cant resolve it
as part of the data is not stored in the LDAP but taken from the
kerberos ticket that user has.<br>
<br>
I suspect that sudo dose not work for the AD user in the SSSD test
above because user have never authenticated. User should
authenticate and get on the box first either via SSH or via a direct
login into the box. In both cases there will be a Kerberos TGT
acquired for this user. The TGT will come from AD and will have
MS-PAC - a blob of authorization data that contains the list of the
groups the user is a member of. One of the groups should be a member
of the IPA group. So the user would be resolved to the right sudo
rule(s). Right now data about the AD group membership is missing.
Please authenticate with the test user and try again.<br>
<br>
<blockquote
cite="mid:CAJMZt_ZBmwYCOjBoen69+ssS8MnpziqJ5hhO=ebftBMq+m9yYg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="">Thx</div>
<div style=""><br>
</div>
<div style="">Aly</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>