<div dir="ltr"><div><div>Thanks for your time. Man pages were the first, but it's not working just base on that. Find out that libsss_sudo is desperately needed and it's not required by ipa-client rpm. So now I only need to check sudo policy in IPA, as there is obviously some issue, but connection is working. yum install ipa-client libsss_sudo ipa-client-install ... </div>modify: /etc/sssd/sssd.conf (ldap setup based on man) /etc/nsswitch.conf (sss provider for sudoers based on man) </div>and result: [vaclav.adamec@ipa-client~]$ groups vaclav.adamec admins [vaclav.adamec@ipa-client ~]$ sudo -l vaclav.adamec is not allowed to run sudo on ipa-client. This incident will be reported. (Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [vaclav.adamec] from [<ALL>] (Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [vaclav.adamec@test] (Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [vaclav.adamec@test] (Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [vaclav.adamec] from [test] (Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=vaclav.adamec)(sudoUser=#1085800001)(sudoUser=%admins)(sudoUser=%vaclav.adamec)(sudoUser=+*))(&(dataExpireTimestamp<=1413529436)))] (Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=vaclav.adamec)(sudoUser=#1085800001)(sudoUser=%admins)(sudoUser=%vaclav.adamec)(sudoUser=+*)))] (Fri Oct 17 09:03:56 2014) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [vaclav.adamec@test] <div class="gmail_extra"> </div><div class="gmail_extra">but ldap search: ldapsearch -x -h localhost -p 389 -b ou=sudoers,dc=test # sudoers, test dn: ou=sudoers,dc=test objectClass: extensibleObject ou: sudoers # Admins_can_do_anything, sudoers, <a href="http://cz.avg.com" target="_blank">test</a> dn: cn=Admins_can_run_whomai_as_root,ou=sudoers,dc=test sudoUser: %admins sudoHost: +all objectClass: sudoRole objectClass: top sudoRunAsUser: root sudoCommand: /usr/bin/whoami cn: Admins_can_run_whomai_as_root # search result search: 2 result: 0 Success </div><div class="gmail_extra"> <div class="gmail_quote">On Fri, Oct 17, 2014 at 8:39 AM, Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Fri, 17 Oct 2014, Vaclav Adamec wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> Mixture of bot method is result of testing, just registration via ipa-client (maybe CentOS 6 has only ipa-client-3.0.0-37 ?) definitely not setup anything about sudo. I'll try to build 4.0.3 client for CentOS 6, but right now: </blockquote> Installing 4.x (client or server) is not supported on CentOS 6.x. You can use whatever IPA version is available there (3.0).It will not automatically configure sudo for you, there you have to follow what sssd-sudo(5) tells you to do. My primary point was that we have this documentation available on every machine where SSSD is in use, no need to search over internet. P.S. Please reply to the list, not personally. -- / Alexander Bokovoy </blockquote></div> </div></div>