<div dir="ltr"><div><div>Diky Jakube, </div>in domain log below I can see that rules were found properly: (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sudo] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sudo-i] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [Unixari na test servery] </div>It also matches the rule and says "Access granted": (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_host_attrs_to_rule] (0x1000): [fqdn=<a href="http://spcss-2t-www.linuxdomain.cz">spcss-2t-www.linuxdomain.cz</a>,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] does not map to either a host or hostgroup. Skipping (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_host_attrs_to_rule] (0x2000): Added host [<a href="http://zp-cml-test.linuxdomain.cz">zp-cml-test.linuxdomain.cz</a>] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_eval_user_element] (0x1000): [1] groups for [<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [Unixari na test servery] <div> </div><div>It also mentiones SELinux, but I know it is disabled. </div><div>Any idea what to check next please? </div><div>Full part of the log follows: (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_get_account_info] (0x0100): Got request for [3][1][name=simecek.tomas] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_req_set_domain] (0x0400): Changing request domain from [<a href="http://linuxdomain.cz">linuxdomain.cz</a>] to [<a href="http://sd-stc.cz">sd-stc.cz</a>] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_get_subdom_acct_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,Account info lookup failed (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_req_set_domain] (0x0400): Changing request domain from [<a href="http://linuxdomain.cz">linuxdomain.cz</a>] to [<a href="http://sd-stc.cz">sd-stc.cz</a>] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): domain: <a href="http://sd-stc.cz">sd-stc.cz</a> (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): user: <a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a> (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): service: sudo (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): ruser: <a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a> (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): rhost: (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): authtok type: 1 (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): priv: 0 (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): cli_pid: 27305 (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [switch_creds] (0x0200): Switch user to [988604700][988604700]. (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [switch_creds] (0x0200): Switch user to [0][0]. (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [get_server_status] (0x1000): Status of server '<a href="http://svlxxipap.linuxdomain.cz">svlxxipap.linuxdomain.cz</a>' is 'working' (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [get_port_status] (0x1000): Port status of port 0 for server '<a href="http://svlxxipap.linuxdomain.cz">svlxxipap.linuxdomain.cz</a>' is 'working' (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [get_server_status] (0x1000): Status of server '<a href="http://svlxxipap.linuxdomain.cz">svlxxipap.linuxdomain.cz</a>' is 'working' (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_resolve_server_process] (0x0200): Found address for server <a href="http://svlxxipap.linuxdomain.cz">svlxxipap.linuxdomain.cz</a>: [10.1.123.103] TTL 601 (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://<a href="http://svlxxipap.linuxdomain.cz">svlxxipap.linuxdomain.cz</a>' (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [27310] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [child_handler_setup] (0x2000): Signal handler set up for pid [27310] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_get_subdomains] (0x0400): Got get subdomains [forced][SD-STC] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSecondaryBaseRID] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaRangeType] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 21 (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1f060], ldap[0x1f03170] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1f060], ldap[0x1f03170] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1f060], ldap[0x1f03170] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 22 (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f123f0], ldap[0x1f03170] (Wed Jul 13 12:05:20 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f123f0], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f123f0], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 23 (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f60480], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f60480], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f60480], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, <NULL>) [Success] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [child_sig_handler] (0x1000): Waiting for child [27310]. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [child_sig_handler] (0x0100): child [27310] finished successfully. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [parse_krb5_child_response] (0x1000): child response [0][3][45]. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741822][24]. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [parse_krb5_child_response] (0x1000): TGT times are [1468404320][1468404320][1468440320][1468490720]. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [parse_krb5_child_response] (0x1000): child response [0][6][8]. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [fo_set_port_status] (0x0100): Marking port 0 of server '<a href="http://svlxxipap.linuxdomain.cz">svlxxipap.linuxdomain.cz</a>' as 'working' (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [set_server_common_status] (0x0100): Marking server '<a href="http://svlxxipap.linuxdomain.cz">svlxxipap.linuxdomain.cz</a>' as 'working' (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server '<a href="http://svlxxipap.linuxdomain.cz">svlxxipap.linuxdomain.cz</a>' as 'working' (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [switch_creds] (0x0200): Switch user to [988604700][988604700]. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sss_krb5_check_ccache_princ] (0x2000): Searching for [<a href="mailto:simecek.tomas@SD-STC.CZ">simecek.tomas@SD-STC.CZ</a>] in cache of type [FILE] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [switch_creds] (0x0200): Switch user to [0][0]. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [safe_remove_old_ccache_file] (0x0400): New and old ccache file are the same, none will be deleted. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_pam_handler_callback] (0x0100): Sending result [0][<a href="http://sd-stc.cz">sd-stc.cz</a>] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_pam_handler_callback] (0x0100): Sent result [0][<a href="http://sd-stc.cz">sd-stc.cz</a>] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_get_account_info] (0x0100): Got request for [3][1][name=simecek.tomas] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_req_set_domain] (0x0400): Changing request domain from [<a href="http://linuxdomain.cz">linuxdomain.cz</a>] to [<a href="http://sd-stc.cz">sd-stc.cz</a>] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_get_subdom_acct_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,Account info lookup failed (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_req_set_domain] (0x0400): Changing request domain from [<a href="http://linuxdomain.cz">linuxdomain.cz</a>] to [<a href="http://sd-stc.cz">sd-stc.cz</a>] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): domain: <a href="http://sd-stc.cz">sd-stc.cz</a> (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): user: <a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a> (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): service: sudo (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): ruser: <a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a> (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): rhost: (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): priv: 0 (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [pam_print_data] (0x0100): cli_pid: 27305 (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_access_send] (0x0400): Performing access check for user [<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=<a href="http://zp-cml-test.linuxdomain.cz">zp-cml-test.linuxdomain.cz</a>))][cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 24 (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [fqdn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [serverHostname] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSshPubKey] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_done] (0x2000): Total count [0] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn=<a href="http://zp-cml-test.linuxdomain.cz">zp-cml-test.linuxdomain.cz</a>,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] using OpenLDAP deref (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=<a href="http://zp-cml-test.linuxdomain.cz">zp-cml-test.linuxdomain.cz</a>,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 25 (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_done] (0x2000): Total count [0] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACService)] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 26 (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_done] (0x2000): Total count [0] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACServiceGroup)] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 27 (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_done] (0x2000): Total count [0] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linuxdomain,dc=cz][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=<a href="http://zp-cml-test.linuxdomain.cz">zp-cml-test.linuxdomain.cz</a>,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=<a href="http://zp-cml-test.linuxdomain.cz">zp-cml-test.linuxdomain.cz</a>,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))][cn=hbac,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 28 (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaenabledflag] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [accessRuleType] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberUser] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberService] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberHost] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_done] (0x2000): Total count [0] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_attrs_to_rule] (0x1000): Processing rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sysdb_search_users] (0x2000): No such entry (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [grpunixadmins] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sudo] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sudo-i] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_host_attrs_to_rule] (0x1000): [fqdn=<a href="http://spcss-2t-www.linuxdomain.cz">spcss-2t-www.linuxdomain.cz</a>,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] does not map to either a host or hostgroup. Skipping (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_host_attrs_to_rule] (0x2000): Added host [<a href="http://zp-cml-test.linuxdomain.cz">zp-cml-test.linuxdomain.cz</a>] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_eval_user_element] (0x1000): [1] groups for [<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_get_selinux_send] (0x2000): Connection status is [online]. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaMigrationEnabled] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUserMapDefault] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUserMapOrder] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 29 (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaMigrationEnabled] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSELinuxUserMapDefault] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSELinuxUserMapOrder] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with following parameters: [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [seeAlso] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUser] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaEnabledFlag] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 30 (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f0d0b0], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f0d0b0], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_get_generic_ext_done] (0x2000): Total count [0] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_pam_handler_callback] (0x0100): Sending result [0][<a href="http://sd-stc.cz">sd-stc.cz</a>] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [be_pam_handler_callback] (0x0100): Sent result [0][<a href="http://sd-stc.cz">sd-stc.cz</a>] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[<a href="http://linuxdomain.cz">linuxdomain.cz</a>]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! <div class="gmail_extra"> </div><div class="gmail_extra">Tomas Simecek </div><div class="gmail_extra"> <div class="gmail_quote">2016-07-13 11:50 GMT+02:00 Jakub Hrozek <<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class=""><div class="h5">On Wed, Jul 13, 2016 at 11:18:21AM +0200, Tomas Simecek wrote: > Dear freeIPA gurus, > in previous thread ( > <a href="https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html" rel="noreferrer" target="_blank">https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html</a>) you > helped me make sudo working for AD users on Centos 7.0 ( > <a href="http://spcss-2t-www.linuxdomain.cz" rel="noreferrer" target="_blank">spcss-2t-www.linuxdomain.cz</a>). > It was caused by not knowing sudo needs to be enabled in HBAC rules. > Now it works properly on Centos 7.0 client. > But it does not work on Centos 6.5 (<a href="http://zp-cml-test.linuxdomain.cz" rel="noreferrer" target="_blank">zp-cml-test.linuxdomain.cz</a>) with the > same sssd.conf setup. > Error message is always: > > [simecek.tomas@sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf > [sudo] password for <a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>: > <a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a> is not allowed to run sudo on zp-cml-test. This > incident will be reported. > > Here are my HBAC rules, the second one should apply. It definitely applies > for Centos 7.0 server: > [root@svlxxipap ~]# ipa hbacrule-find > -------------------- > 2 HBAC rules matched > -------------------- > Rule name: allow_all > User category: all > Host category: all > Service category: all > Description: Allow all users to access any host from any host > Enabled: FALSE > > Rule name: Unixari na test servery > Enabled: TRUE > User Groups: grpunixadmins > Hosts: <a href="http://spcss-2t-www.linuxdomain.cz" rel="noreferrer" target="_blank">spcss-2t-www.linuxdomain.cz</a>, <a href="http://zp-cml-test.linuxdomain.cz" rel="noreferrer" target="_blank">zp-cml-test.linuxdomain.cz</a> > Services: login, sshd, sudo, sudo-i, su, su-l > ---------------------------- > Number of entries returned 2 > ---------------------------- > > This is my /etc/sssd/sssd.conf. It the same like on Centos 7.0 server, just > with proper server name of course: > > [root@zp-cml-test sssd]# cat /etc/sssd/sssd.conf > [domain/<a href="http://linuxdomain.cz" rel="noreferrer" target="_blank">linuxdomain.cz</a>] > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = <a href="http://linuxdomain.cz" rel="noreferrer" target="_blank">linuxdomain.cz</a> > id_provider = ipa > krb5_realm = <a href="http://LINUXDOMAIN.CZ" rel="noreferrer" target="_blank">LINUXDOMAIN.CZ</a> > auth_provider = ipa > access_provider = ipa > ipa_hostname = <a href="http://zp-cml-test.linuxdomain.cz" rel="noreferrer" target="_blank">zp-cml-test.linuxdomain.cz</a> > chpass_provider = ipa > ipa_server = <a href="http://svlxxipap.linuxdomain.cz" rel="noreferrer" target="_blank">svlxxipap.linuxdomain.cz</a> > ldap_tls_cacert = /etc/ipa/ca.crt > override_shell = /bin/bash > sudo_provider = ldap > ldap_uri = ldap://<a href="http://svlxxipap.linuxdomain.cz" rel="noreferrer" target="_blank">svlxxipap.linuxdomain.cz</a> > ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz > ldap_sasl_mech = GSSAPI > #ldap_sasl_authid = host/<a href="mailto:zp-cml-test.linuxdomain.cz@LINUXDOMAIN.CZ">zp-cml-test.linuxdomain.cz@LINUXDOMAIN.CZ</a> > ldap_sasl_authid = host/<a href="http://zp-cml-test.linuxdomain.cz" rel="noreferrer" target="_blank">zp-cml-test.linuxdomain.cz</a> > ldap_sasl_realm = <a href="http://LINUXDOMAIN.CZ" rel="noreferrer" target="_blank">LINUXDOMAIN.CZ</a> > krb5_server = <a href="http://svlxxipap.linuxdomain.cz" rel="noreferrer" target="_blank">svlxxipap.linuxdomain.cz</a> > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > debug_level = 0x3ff0 > domains = <a href="http://linuxdomain.cz" rel="noreferrer" target="_blank">linuxdomain.cz</a> > [nss] > homedir_substring = /home > > [pam] > [sudo] > debug_level = 0x3ff0 > [autofs] > [ssh] > [pac] > [ifp] > > This is output from sssd_sudo.log: > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): > Client connected! > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > protocol version [1] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name '<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>' matched expression for domain ' > <a href="http://sd-stc.cz" rel="noreferrer" target="_blank">sd-stc.cz</a>', user is simecek.tomas > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name '<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>' matched expression for domain ' > <a href="http://sd-stc.cz" rel="noreferrer" target="_blank">sd-stc.cz</a>', user is simecek.tomas > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting default options for [simecek.tomas] from [<a href="http://sd-stc.cz" rel="noreferrer" target="_blank">sd-stc.cz</a>] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > Retrieving default options for [<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>] from [<a href="http://sd-stc.cz" rel="noreferrer" target="_blank">sd-stc.cz</a>] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > <a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>)(sudoUser=#988604700)(sudoUser=%domain > <a href="mailto:users@sd-stc.cz">users@sd-stc.cz</a>)(sudoUser=%<a href="mailto:unixadmins@sd-stc.cz">unixadmins@sd-stc.cz</a>)(sudoUser=% > <a href="mailto:mfcr_mfg@sd-stc.cz">mfcr_mfg@sd-stc.cz</a>)(sudoUser=%<a href="mailto:account@sd-stc.cz">account@sd-stc.cz</a>)(sudoUser=%<a href="mailto:wifi@sd-stc.cz">wifi@sd-stc.cz</a> > )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About > to get sudo rules from cache > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 0 rules for [<default options>@<a href="http://sd-stc.cz" rel="noreferrer" target="_blank">sd-stc.cz</a>] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > protocol version [1] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name '<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>' matched expression for domain ' > <a href="http://sd-stc.cz" rel="noreferrer" target="_blank">sd-stc.cz</a>', user is simecek.tomas > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name '<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>' matched expression for domain ' > <a href="http://sd-stc.cz" rel="noreferrer" target="_blank">sd-stc.cz</a>', user is simecek.tomas > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting rules for [simecek.tomas] from [<a href="http://sd-stc.cz" rel="noreferrer" target="_blank">sd-stc.cz</a>] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > Retrieving rules for [<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>] from [<a href="http://sd-stc.cz" rel="noreferrer" target="_blank">sd-stc.cz</a>] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > <a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>)(sudoUser=#988604700)(sudoUser=%domain > <a href="mailto:users@sd-stc.cz">users@sd-stc.cz</a>)(sudoUser=%<a href="mailto:unixadmins@sd-stc.cz">unixadmins@sd-stc.cz</a>)(sudoUser=% > <a href="mailto:mfcr_mfg@sd-stc.cz">mfcr_mfg@sd-stc.cz</a>)(sudoUser=%<a href="mailto:account@sd-stc.cz">account@sd-stc.cz</a>)(sudoUser=%<a href="mailto:wifi@sd-stc.cz">wifi@sd-stc.cz</a> > )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About > to get sudo rules from cache > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>)(sudoUser=#988604700)(sudoUser=%domain > <a href="mailto:users@sd-stc.cz">users@sd-stc.cz</a>)(sudoUser=%<a href="mailto:unixadmins@sd-stc.cz">unixadmins@sd-stc.cz</a>)(sudoUser=% > <a href="mailto:mfcr_mfg@sd-stc.cz">mfcr_mfg@sd-stc.cz</a>)(sudoUser=%<a href="mailto:account@sd-stc.cz">account@sd-stc.cz</a>)(sudoUser=%<a href="mailto:wifi@sd-stc.cz">wifi@sd-stc.cz</a> > )(sudoUser=%grpunixadmins)(sudoUser=+*)))] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 0 rules for [<a href="mailto:simecek.tomas@sd-stc.cz">simecek.tomas@sd-stc.cz</a>] > (Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_recv] (0x0200): Client > disconnected! > (Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_destructor] (0x2000): > Terminated client [0x1330300][18] </div></div>When you look into the domain logs, do they show some rules being fetched? You can also install ldbsearch and then check what rules got stored in the cache: ldbsearch -H /var/lib/sss/db/cache_$domain.ldb -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project </blockquote></div> </div></div></div>