<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 01/03/2015 05:14 AM, alireza baghery
wrote:<br>
</div>
<blockquote
cite="mid:CAPyvVhybfnR_L-TFvRcVV1xMGG+EU+w6=7OArEwCUxwNj-Nmsg@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_quote"><br>
<div dir="ltr">
<div>
<div>
<div>
<div>hi<br>
i integrated AD windows 208 R2 with IPA server
(centos 6.5)<br>
</div>
i write policy for user test execute any command on
any host<br>
</div>
user test can execute sudo on cetnos 6.5 but on centos
6.6 can not (sudo get error)<br>
</div>
confige sssd.conf<br>
=========================<br>
<pre>[domain/<a moz-do-not-send="true" href="http://l.example.com" target="_blank">l.example.com</a>]
debug_level = 6
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = <a moz-do-not-send="true" href="http://l.example.com" target="_blank">l.example.com</a>
id_provider = ipa
ipa_server = _srv_,<a moz-do-not-send="true" href="http://ipaserver.l.example.com" target="_blank">ipaserver.l.example.com</a>
dap_tls_cacert = /etc/ipa/ca.crt
sudo_provider = ldap
ldap_uri = <a moz-do-not-send="true" rel="nofollow">ldap://ipasrv.l.example.com</a>
ldap_sudo_search_base = ou=sudoers,dc=l, dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/<a moz-do-not-send="true" href="http://ipadevel.l.example.com" target="_blank">ipadevel.l.example.com</a>
ldap_sasl_realm = <a moz-do-not-send="true" href="http://L.EXAMPLE.COM" target="_blank">L.EXAMPLE.COM</a>
krb5_server = <a moz-do-not-send="true" href="http://ipadevel.l.example.com" target="_blank">ipadevel.l.example.com</a>
[sssd]
config_file_version = 2
services = nss, pam,ssh,sudo
</pre>
============================<br>
</div>
how to solve this problem<br>
</div>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Enable sudo debugging and see what happens. Is the command denied or
there is some other error?<br>
Generally there are two flavors of errors: something is wrong with a
connection and no policy gets through or the policies get though but
something is wrong with this specific policy or configuration.<br>
To start debugging first rule out connectivity issues.<br>
<br>
SUDO and sssd debug logs are your friends.<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>