<div dir="ltr"><div><div><div><div><div><div>Hi Danila and other freeipa gurus, </div>sorry for my late answer, there is a bank holiday in CZ and I am off work these two days. </div>Yes, /etc/nsswitch.conf is fine, see: [root@spcss-2t-www ~]# cat /etc/nsswitch.conf |grep sudo sudoers: files sss </div>I think it is set up as part of freeipa-client package. </div>I went through this guide: <a href="https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO">https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO</a> </div>so I guess things are set right. </div>When I try to sudo as domain user, sssd_linuxdomain.cz.log says followng: (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.sudoHandler on path /org/freedesktop/sssd/dataprovider (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_sudo_handler] (0x0400): Entering be_sudo_handler() (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_sudo_handler] (0x0400): Issuing a refresh of specific sudo rules (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [ou=sudoers,dc=linuxdomain,dc=cz] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(&(objectClass=sudoRole)(|(cn=Pokusne)))(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=<a href="http://spcss-2t-www.linuxdomain.cz">spcss-2t-www.linuxdomain.cz</a>)(sudoHost=spcss-2t-www)(sudoHost=10.1.62.88)(sudoHost=<a href="http://10.1.62.0/24)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][ou=sudoers,dc=linuxdomain,dc=cz">10.1.62.0/24)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][ou=sudoers,dc=linuxdomain,dc=cz</a>]. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAs] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 6 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_op_add] (0x2000): New operation 6 timeout 6 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23893178c0], connected[1], ops[0x7f23893168e0], ldap[0x7f2389333ff0] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=Pokusne,ou=sudoers,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoCommand] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoHost] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoUser] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23893178c0], connected[1], ops[0x7f23893168e0], ldap[0x7f2389333ff0] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_op_destructor] (0x2000): Operation 6 finished (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [ou=sudoers,dc=linuxdomain,dc=cz] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_sudo_refresh_load_done] (0x0400): Received 1 rules (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sysdb_sudo_purge_byname] (0x2000): Deleting sudo rule Pokusne (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sysdb_save_sudorule] (0x0400): Adding sudo rule Pokusne (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_sudo_refresh_load_done] (0x0400): Sudoers is successfuly stored in cache (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_sudo_set_usn] (0x0200): SUDO higher USN value: [16136] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_sudo_handler_reply] (0x0200): SUDO Backend returned: (0, 0, Success) (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23893178c0], connected[1], ops[(nil)], ldap[0x7f2389333ff0] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_get_account_info] (0x0200): Got request for [0x1002][1][name=grpunixadmins] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_req_set_domain] (0x0400): Changing request domain from [<a href="http://linuxdomain.cz">linuxdomain.cz</a>] to [<a href="http://linuxdomain.cz">linuxdomain.cz</a>] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=linuxdomain,dc=cz] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=grpunixadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 22 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_op_add] (0x2000): New operation 22 timeout 6 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23892e20d0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23892e20d0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_op_destructor] (0x2000): Operation 22 finished (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_nested_group_process_send] (0x2000): About to process group [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sysdb_search_users] (0x2000): No such entry (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_nested_group_process_send] (0x2000): Looking up 1/1 members of group [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_nested_group_process_send] (0x2000): Members of group [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] will be processed individually (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 23 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_op_add] (0x2000): New operation 23 timeout 6 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f2389358c20], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f2389358c20], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f2389358c20], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_op_destructor] (0x2000): Operation 23 finished (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and setting GID=0! (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_nested_group_process_send] (0x2000): About to process group [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_nested_group_recv] (0x0400): 2 groups found in the hash table (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_primary_name] (0x0400): Processing object grpunixadmins (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_save_group] (0x0400): Processing group grpunixadmins (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_save_group] (0x2000): This is a posix group (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to attributes of [grpunixadmins]. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160629090835Z] to attributes of [grpunixadmins]. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_save_group] (0x0400): Storing info for group grpunixadmins (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_primary_name] (0x0400): Processing object ad_admins_external (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_save_group] (0x0400): Processing group ad_admins_external (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_save_group] (0x2000): This is not a posix group (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to attributes of [ad_admins_external]. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160629090835Z] to attributes of [ad_admins_external]. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_ghost_members] (0x0400): The group has 0 members (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_ghost_members] (0x0400): Group has 0 members (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_save_group] (0x0400): Storing info for group ad_admins_external (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_primary_name] (0x0400): Processing object grpunixadmins (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_save_grpmem] (0x0400): Processing group grpunixadmins (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_save_grpmem] (0x0400): Adding member users to group [grpunixadmins] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_fill_memberships] (0x1000): member #0 (cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz): [name=ad_admins_external,cn=groups,cn=<a href="http://linuxdomain.cz">linuxdomain.cz</a>,cn=sysdb] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_primary_name] (0x0400): Processing object ad_admins_external (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_save_grpmem] (0x0400): Processing group ad_admins_external (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_save_grpmem] (0x0400): Failed to get group sid (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_save_grpmem] (0x0400): No members for group [ad_admins_external] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_nested_done] (0x2000): No external members, done(Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:linuxdomain.cz:1f46c9d8-3c33-11e6-9653-005056961bfa))][cn=Default Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 24 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_op_add] (0x2000): New operation 24 timeout 60 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23892e20d0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23892e20d0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_op_destructor] (0x2000): Operation 24 finished (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[(nil)], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=simecek.tomas] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_req_set_domain] (0x0400): Changing request domain from [<a href="http://linuxdomain.cz">linuxdomain.cz</a>] to [<a href="http://sd-stc.cz">sd-stc.cz</a>] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 25 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_op_add] (0x2000): New operation 25 timeout 60 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893168e0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_op_destructor] (0x2000): Operation 25 finished (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 26 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_op_add] (0x2000): New operation 26 timeout 6 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893290a0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893290a0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_op_destructor] (0x2000): Operation 26 finished (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sysdb_search_by_name] (0x0400): No such entry (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 27 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_op_add] (0x2000): New operation 27 timeout 6 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893290a0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893290a0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_op_destructor] (0x2000): Operation 27 finished (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for <a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a> (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sysdb_update_members_ex] (0x0020): Could not add member [<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>] to group [name=<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>,cn=groups,cn=<a href="http://sd-stc.cz">sd-stc.cz</a>,cn=sysdb]. Skipping. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for <a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a> (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sysdb_update_members_ex] (0x0020): Could not add member [<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>] to group [name=<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>,cn=groups,cn=<a href="http://sd-stc.cz">sd-stc.cz</a>,cn=sysdb]. Skipping. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[(nil)], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_req_set_domain] (0x0400): Changing request domain from [<a href="http://linuxdomain.cz">linuxdomain.cz</a>] to [<a href="http://sd-stc.cz">sd-stc.cz</a>] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): command: SSS_PAM_PREAUTH (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): domain: <a href="http://sd-stc.cz">sd-stc.cz</a> (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): user: <a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a> (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): service: sudo (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): ruser: <a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a> (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): rhost: (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): priv: 0 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): cli_pid: 32185 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): logon name: not set (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>] is empty, running request [0x7f2389359480] immediately. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [get_server_status] (0x1000): Status of server '<a href="http://svlxxipap.linuxdomain.cz">svlxxipap.linuxdomain.cz</a>' is 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [get_port_status] (0x1000): Port status of port 0 for server '<a href="http://svlxxipap.linuxdomain.cz">svlxxipap.linuxdomain.cz</a>' is 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [get_server_status] (0x1000): Status of server '<a href="http://svlxxipap.linuxdomain.cz">svlxxipap.linuxdomain.cz</a>' is 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_resolve_server_process] (0x0200): Found address for server <a href="http://svlxxipap.linuxdomain.cz">svlxxipap.linuxdomain.cz</a>: [10.1.123.103] TTL 1199 (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [32186] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [child_handler_setup] (0x2000): Signal handler set up for pid [32186] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [fo_set_port_status] (0x0100): Marking port 0 of server '<a href="http://svlxxipap.linuxdomain.cz">svlxxipap.linuxdomain.cz</a>' as 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [set_server_common_status] (0x0100): Marking server '<a href="http://svlxxipap.linuxdomain.cz">svlxxipap.linuxdomain.cz</a>' as 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server '<a href="http://svlxxipap.linuxdomain.cz">svlxxipap.linuxdomain.cz</a>' as 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [check_wait_queue] (0x1000): Wait queue for user [<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>] is empty. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f2389359480] done. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success (Success)] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_pam_handler_callback] (0x0100): Sending result [0][<a href="http://sd-stc.cz">sd-stc.cz</a>] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_pam_handler_callback] (0x0100): Sent result [0][<a href="http://sd-stc.cz">sd-stc.cz</a>] (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [child_sig_handler] (0x1000): Waiting for child [32186]. (Wed Jul 6 15:19:54 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [child_sig_handler] (0x0100): child [32186] finished successfully. <div> I'll appreciate any other hints if you have some. </div><div>Thanks, </div><div>Tomas Simecek </div><div> </div></div><div class="gmail_extra"> <div class="gmail_quote">2016-07-05 15:58 GMT+02:00 Danila Ladner <<a href="mailto:ladner.danila@gmail.com" target="_blank">ladner.danila@gmail.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">What about /etc/nsswitch.conf?<div>Does it have "sudo: files sss"?</div></div><div class="gmail_extra"> <div class="gmail_quote"><div><div class="h5">On Mon, Jul 4, 2016 at 3:50 AM, Tomas Simecek <<a href="mailto:simecek.tomas@gmail.com" target="_blank">simecek.tomas@gmail.com</a>> wrote: </div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr">Dear freeipa users/admins, I'm trying to implement freeipa in our company, so that our Unix admins can authenticate on Linux servers using their Windows AD account. Following this guide <a href="https://www.freeipa.org/page/Active_Directory_trust_setup" target="_blank">https://www.freeipa.org/page/Active_Directory_trust_setup</a> it seems to work well, they can login without problems. What I cannot make working is sudo from their AD accounts on Linux. No matter what I try, it is still: sudo systemctl restart httpd [sudo] password for <a href="mailto:simecek.tomas@sd-stc.cz" target="_blank">simecek.tomas@sd-stc.cz</a>: Sorry, try again. Here's our setup: Freeipa server: CentOS Linux release 7.2.1511 (Core), ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 Freeipa client: the same AD domain name: <a href="http://sd-stc.cz" target="_blank">sd-stc.cz</a> IPA domain: <a href="http://linuxdomain.cz" target="_blank">linuxdomain.cz</a> When digging in logs and googling, I realized that the problem on client side could be: [root@spcss-2t-www ~]# kinit -k kinit: Cannot determine realm for host (principal host/spcss-2t-www@) But this seems to work: [root@spcss-2t-www ~]# kinit <a href="mailto:simecek.tomas@SD-STC.CZ" target="_blank">simecek.tomas@SD-STC.CZ</a> Password for <a href="mailto:simecek.tomas@SD-STC.CZ" target="_blank">simecek.tomas@SD-STC.CZ</a>: [root@spcss-2t-www ~]# klist Default principal: <a href="mailto:simecek.tomas@SD-STC.CZ" target="_blank">simecek.tomas@SD-STC.CZ</a> Valid starting Expires Service principal 07/04/2016 09:36:26 07/04/2016 19:36:26 krbtgt/<a href="mailto:SD-STC.CZ@SD-STC.CZ" target="_blank">SD-STC.CZ@SD-STC.CZ</a> renew until 07/05/2016 09:36:23 My /etc/sssd/sssd.conf: [domain/<a href="http://linuxdomain.cz" target="_blank">linuxdomain.cz</a>] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = <a href="http://linuxdomain.cz" target="_blank">linuxdomain.cz</a> krb5_realm = <a href="http://LINUXDOMAIN.CZ" target="_blank">LINUXDOMAIN.CZ</a> id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = <a href="http://spcss-2t-www.linuxdomain.cz" target="_blank">spcss-2t-www.linuxdomain.cz</a> chpass_provider = ipa ipa_server = <a href="http://svlxxipap.linuxdomain.cz" target="_blank">svlxxipap.linuxdomain.cz</a> ldap_tls_cacert = /etc/ipa/ca.crt override_shell = /bin/bash sudo_provider = ldap ldap_uri = ldap://<a href="http://svlxxipap.linuxdomain.cz" target="_blank">svlxxipap.linuxdomain.cz</a> ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/<a href="mailto:spcss-2t-www.linuxdomain.cz@LINUXDOMAIN.CZ" target="_blank">spcss-2t-www.linuxdomain.cz@LINUXDOMAIN.CZ</a> ldap_sasl_realm = <a href="http://LINUXDOMAIN.CZ" target="_blank">LINUXDOMAIN.CZ</a> krb5_server = <a href="http://svlxxipap.linuxdomain.cz" target="_blank">svlxxipap.linuxdomain.cz</a> [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = <a href="http://linuxdomain.cz" target="_blank">linuxdomain.cz</a> [nss] homedir_substring = /home .... My /etc/krb5.conf: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = <a href="http://LINUXDOMAIN.CZ" target="_blank">LINUXDOMAIN.CZ</a> dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] <a href="http://LINUXDOMAIN.CZ" target="_blank">LINUXDOMAIN.CZ</a> = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .<a href="http://linuxdomain.cz" target="_blank">linuxdomain.cz</a> = <a href="http://LINUXDOMAIN.CZ" target="_blank">LINUXDOMAIN.CZ</a> <a href="http://linuxdomain.cz" target="_blank">linuxdomain.cz</a> = <a href="http://LINUXDOMAIN.CZ" target="_blank">LINUXDOMAIN.CZ</a> Would you please suggest which way to investigate? Thanks Tomas Simecek </div> </div></div>-- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project </blockquote></div> </div> </blockquote></div> </div>