<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr"><div>Is this in RHEL based systems only ? On Ubuntu there seems to be still issues.<br><br></div><div>A full printout of the config file(s) would be nice to see as most people write other things down they have working, but the working ones don't write their full config down.<br>

<br></div></div>
</blockquote></div><br></div><div class="gmail_extra" style>All my systems are CentOS 6.4 so YMMV on Ubuntu - I've not tested any packages for debian based systems...</div><div class="gmail_extra" style><br></div><div class="gmail_extra" style>
The full (sanitized for domains) config:</div><div class="gmail_extra" style><br></div><div class="gmail_extra" style><div class="gmail_extra">[root@backup hogarthj]# cat /etc/sssd/sssd.conf </div><div class="gmail_extra">
[domain/<a href="http://example.com">example.com</a>]</div><div class="gmail_extra"><br></div><div class="gmail_extra">cache_credentials = True</div><div class="gmail_extra">krb5_store_password_if_offline = True</div><div class="gmail_extra">
krb5_realm = <a href="http://EXAMPLE.COM">EXAMPLE.COM</a></div><div class="gmail_extra">ipa_domain = <a href="http://example.com">example.com</a></div><div class="gmail_extra">id_provider = ipa</div><div class="gmail_extra">
auth_provider = ipa</div><div class="gmail_extra">access_provider = ipa</div><div class="gmail_extra">chpass_provider = ipa</div><div class="gmail_extra">ipa_dyndns_update = True</div><div class="gmail_extra">ipa_server = _srv_, <a href="http://ipa01.example.com">ipa01.example.com</a></div>
<div class="gmail_extra">ldap_tls_cacert = /etc/ipa/ca.crt</div><div class="gmail_extra">sudo_provider = ldap</div><div class="gmail_extra">ldap_sudo_search_base = ou=sudoers,dc=example,dc=com</div><div class="gmail_extra">
ldap_sasl_mech = GSSAPI</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">[sssd]</div><div class="gmail_extra">services = nss, pam, ssh, sudo</div>
<div class="gmail_extra">config_file_version = 2</div><div class="gmail_extra"><br></div><div class="gmail_extra">domains = <a href="http://example.com">example.com</a></div><div class="gmail_extra">[nss]</div><div class="gmail_extra">
<br></div><div class="gmail_extra">[pam]</div><div class="gmail_extra"><br></div><div class="gmail_extra">[sudo]</div><div class="gmail_extra"><br></div><div class="gmail_extra">[autofs]</div><div class="gmail_extra"><br>
</div><div class="gmail_extra">[ssh]</div><div class="gmail_extra"><br></div><div class="gmail_extra" style>The only other edit on the system to make this work was adding this line to /etc/nsswitch.conf:</div><div class="gmail_extra" style>
<br></div><div class="gmail_extra" style>sudoers: files sss</div><div class="gmail_extra" style><br></div><div class="gmail_extra" style><br></div><div class="gmail_extra" style>This system was successfully working with the ldap-sudo.conf method before but of course that had no load balancing and no caching.</div>
<div class="gmail_extra" style><br></div></div></div>