[Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO
Pavel Březina
pbrezina at redhat.com
Thu Apr 25 10:38:18 UTC 2013
On 04/24/2013 07:20 PM, Aly Khimji wrote:
> (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success]
> (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_selinux_extract_user] (0x0040): sysdb_search_user_by_name failed.
> (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_selinux_handler] (0x0040): Cannot create op context
> (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
Hi,
this looks like a selinux problem to me. What happens when you set
selinux to permissive?
Also does this problem occur only with sudo, or other services are
affected too (id, authentication, ssh)?
Can you please perform following commands? It will remove cache and logs
so do it in a safe non-production environment.
As root:
# service stop sssd
# rm -f /var/lib/sss/db/* /var/lib/sss/mc/* /var/log/sssd/*
# service sssd start
As normal user:
$ su ad-user at trusted-domain
$ sudo -l
$ exit
And send us the sanitized logs (all of them).
Thank you.
More information about the Freeipa-users
mailing list