[Freeipa-users] sudo with freeIPA
Megan .
nagemnna at gmail.com
Mon Aug 25 12:33:51 UTC 2014
ok. Changed debug_level to 7. I already it in the domain section (first line).
Not sure if this makes a difference
[root at map1 pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so deny=5
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
from sssd_sudo.log
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [accept_fd_handler] (0x0400):
Client connected!
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_cmd_get_version]
(0x0200): Received client version [1].
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_cmd_get_version]
(0x0200): Offered version [1].
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'tuser2' matched without domain, user is tuser2
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'tuser2' matched without domain, user is tuser2
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [tuser2] from [<ALL>]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [tuser2 at server.domain.com]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [tuser2 at server.domain.com]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [tuser2] from [server.domain.com]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408969900)))]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(name=defaults)))]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
[<default options>@server.domain.com]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'tuser2' matched without domain, user is tuser2
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'tuser2' matched without domain, user is tuser2
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [tuser2] from [<ALL>]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [tuser2 at server.domain.com]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [tuser2 at server.domain.com]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [tuser2] from [server.domain.com]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408969900)))]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*)))]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
[tuser2 at server.domain.com]
(Mon Aug 25 12:31:42 2014) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
from sssd_server.log
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_subdomains] (0x0400): Got get subdomains [not forced][]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_subdomains] (0x0400): Cannot proceed, provider is offline.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_subdomains] (0x1000): Request processed. Returned
1,11,Provider is offline
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_account_info] (0x0100): Got request for
[4098][1][idnumber=1079600005]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast
reply - offline
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_port_status] (0x1000): Port status of port 0 for server '(no
name)' is 'neutral'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolve_srv_send] (0x0200): The status of SRV lookup is neutral
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolve_srv_send] (0x0400): SRV resolution of service 'IPA'. Will use
DNS discovery domain 'server.domain.com'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolve_srv_cont] (0x0100): Searching for servers via SRV query
'_ldap._tcp.server.domain.com'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
'_ldap._tcp.server.domain.com'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[request_watch_destructor] (0x0400): Deleting request watch
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as
'not working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as
'not resolved'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV
lookup meta-server), resolver returned (5)
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x1000): Trying with the next one!
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'name resolved'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_port_status] (0x1000): Port status of port 0 for server
'dir1.server.domain.com' is 'neutral'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'name resolved'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x0200): Found address for server
dir1.server.domain.com: [10.10.26.148] TTL 7200
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[ipa_resolve_callback] (0x0400): Constructed uri
'ldap://dir1.server.domain.com'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for
connecting
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://dir1.server.domain.com:389/??base] with fd [25].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectclass=*)][].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[namingContexts]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedControl]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedExtension]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedFeatures]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedLDAPVersion]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedSASLMechanisms]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[domainControllerFunctionality]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[defaultNamingContext]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[highestCommittedUSN]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
errmsg set
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_send] (0x0400): Attempting kinit (default,
host/map1.server.domain.com, server.domain.com, 86400)
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service IPA
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'name resolved'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'name resolved'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x0200): Found address for server
dir1.server.domain.com: [10.10.26.148] TTL 7200
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get
TGT...
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[create_tgt_req_send_buffer] (0x1000): buffer size: 72
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt
child
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[write_pipe_handler] (0x0400): All data has been sent!
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[read_pipe_handler] (0x0400): EOF received, client finished
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_tgt_recv] (0x0400): Child responded: 0
[FILE:/var/lib/sss/db/ccache_server.domain.com], expired on
[1409056143]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_cli_auth_step] (0x0100): expire timeout is 900
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_cli_auth_step] (0x1000): the connection will expire at
1408970643
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user:
host/map1.server.domain.com
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[child_sig_handler] (0x1000): Waiting for child [17983].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[child_sig_handler] (0x0100): child [17983] finished successfully.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_set_port_status] (0x0100): Marking port 0 of server
'dir1.server.domain.com' as 'working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[set_server_common_status] (0x0100): Marking server
'dir1.server.domain.com' as 'working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_groups_next_base] (0x0400): Searching for groups with base
[cn=accounts,dc=server,dc=domain,dc=com]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(gidNumber=1079600005)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=server,dc=domain,dc=com].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[modifyTimestamp]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_run_online_cb] (0x0080): Going online. Running callbacks.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
errmsg set
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_groups_process] (0x0400): Search for groups, returned 1
results.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_has_deref_support] (0x0400): The server supports deref method
OpenLDAP
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_save_group] (0x0400): Processing group tuser2
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_save_group] (0x1000): Original USN value is not available for
[tuser2].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_process_ghost_members] (0x0400): The group has 0 members
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_process_ghost_members] (0x0400): Group has 0 members
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_save_group] (0x0400): Storing info for group tuser2
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_save_grpmem] (0x1000): No members for group [tuser2]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_save_grpmem] (0x0400): Storing members for group tuser2
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at:
1408969743
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo
rules
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_port_status] (0x1000): Port status of port 389 for server
'dir1.server.domain.com' is 'not working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_port_status] (0x0100): Reseting the status of port 389 for server
'dir1.server.domain.com'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x0200): Found address for server
dir1.server.domain.com: [10.10.26.148] TTL 7200
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_uri_callback] (0x0400): Constructed uri
'ldap://dir1.server.domain.com'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for
connecting
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://dir1.server.domain.com:389/??base] with fd [26].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectclass=*)][].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[namingContexts]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedControl]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedExtension]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedFeatures]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedLDAPVersion]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedSASLMechanisms]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[domainControllerFunctionality]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[defaultNamingContext]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[highestCommittedUSN]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
errmsg set
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_send] (0x0400): Attempting kinit (default,
host/dir1.server.domain.com, server.domain.com, 86400)
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service
KERBEROS
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service
'KERBEROS'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x0200): Found address for server
dir1.server.domain.com: [10.10.26.148] TTL 7200
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get
TGT...
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[create_tgt_req_send_buffer] (0x1000): buffer size: 72
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt
child
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[write_pipe_handler] (0x0400): All data has been sent!
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[read_pipe_handler] (0x0400): EOF received, client finished
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_tgt_recv] (0x0400): Child responded: 14 [Error writing to
key table], expired on [0]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [5] result [4]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_set_port_status] (0x0100): Marking port 389 of server
'dir1.server.domain.com' as 'not working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_port_status] (0x1000): Port status of port 389 for server
'dir1.server.domain.com' is 'not working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0020): No available servers for service
'LDAP'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[child_sig_handler] (0x1000): Waiting for child [17984].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[child_sig_handler] (0x0100): child [17984] finished successfully.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_done] (0x1000): Server resolution failed: 5
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_id_op_connect_done] (0x0020): Failed to connect, going offline
(5 [Input/output error])
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_periodical_first_refresh_done] (0x0040): Periodical full
refresh of sudo rules failed [dp_error: 1] ([11]: Resource temporarily
unavailable)
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_periodical_first_refresh_done] (0x0400): Data provider is
offline. Scheduling another full refresh in 6 minutes.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at:
1408970103
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at:
1408969743
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo
rules
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_periodical_first_refresh_done] (0x0040): Periodical full
refresh of sudo rules failed [dp_error: 1] ([11]: Resource temporarily
unavailable)
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_periodical_first_refresh_done] (0x0400): Data provider is
offline. Scheduling another full refresh in 8 minutes.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at:
1408970223
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[objectclass=ipaNTTrustedDomain][cn=trusts,dc=server,dc=domain,dc=com].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaNTFlatName]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaNTTrustedDomainSID]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
errmsg set
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[objectclass=ipaIDRange][cn=ranges,cn=etc,dc=server,dc=domain,dc=com].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSecondaryBaseRID]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaIDRangeSize]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaNTTrustedDomainSID]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
errmsg set
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sysdb_update_ranges] (0x0400): Adding range
[server.domain.com_id_range].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sysdb_range_create] (0x0040): Invalid range, expected that either the
secondary base rid or the SID of the trusted domain is set, but not
both or none of them.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sysdb_range_create] (0x0400): Error: 22 (Invalid argument)
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sysdb_update_ranges] (0x0040): sysdb_range_create failed.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[ipa_subdomains_handler_ranges_done] (0x0040): sysdb_update_ranges
failed.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[delayed_online_authentication_callback] (0x0200): Backend is online,
starting delayed online authentication.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[remove_krb5_info_files] (0x0200): Could not remove
[/var/lib/sss/pubconf/kpasswdinfo.server.domain.com], [2][No such file
or directory]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[remove_krb5_info_files] (0x0200): Could not remove
[/var/lib/sss/pubconf/kdcinfo.server.domain.com], [2][No such file or
directory]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[remove_krb5_info_files] (0x0200): Could not remove
[/var/lib/sss/pubconf/kpasswdinfo.server.domain.com], [2][No such file
or directory]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_get_account_info] (0x0100): Got request for [3][1][name=tuser2]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[acctinfo_callback] (0x0100): Request processed. Returned 1,11,Offline
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler] (0x0100): Got request with the following data
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): domain: server.domain.com
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): user: tuser2
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): service: sudo
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): tty: /dev/pts/1
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): ruser: tuser2
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): rhost:
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): authtok type: 1
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): authtok size: 23
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): newauthtok type: 0
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): newauthtok size: 0
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): priv: 0
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): cli_pid: 17982
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[cc_residual_is_used] (0x1000): User [1079600005] is still active,
reusing ccache [/tmp/krb5cc_1079600005_Hfzpn4].
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[check_for_valid_tgt] (0x1000): TGT end time [1409049392].
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[check_for_valid_tgt] (0x0080): TGT is valid.
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[get_port_status] (0x1000): Port status of port 0 for server
'dir1.server.domain.com' is 'working'
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x0200): Found address for server
dir1.server.domain.com: [10.10.26.148] TTL 7200
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[ipa_resolve_callback] (0x0400): Constructed uri
'ldap://dir1.server.domain.com'
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[krb5_find_ccache_step] (0x0080): Saved ccache
FILE:/tmp/krb5cc_1079600005_Hfzpn4 if of different type than ccache in
configuration file, reusing the old ccache
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[sysdb_cache_auth] (0x0100): Hashes do match!
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (1, 9, <NULL>)
[Provider is Offline (Authentication service cannot retrieve
authentication info)]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Sending result
[9][server.domain.com]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Sent result [9][server.domain.com]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler] (0x0100): Got request with the following data
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): command: PAM_ACCT_MGMT
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): domain: server.domain.com
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): user: tuser2
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): service: sudo
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): tty: /dev/pts/1
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): ruser: tuser2
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): rhost:
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): authtok type: 0
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): authtok size: 0
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): newauthtok type: 0
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): newauthtok size: 0
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): priv: 0
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): cli_pid: 17982
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[sdap_access_send] (0x0400): Performing access check for user [tuser2]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[sdap_account_expired_rhds] (0x0400): Performing RHDS access check for
user [tuser2]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_attrs_to_rule] (0x1000): Processing rule [allow_all]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_user_attrs_to_rule] (0x1000): Processing users for rule
[allow_all]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_get_category] (0x0200): Category is set to 'all'.
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_service_attrs_to_rule] (0x1000): Processing PAM services for
rule [allow_all]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_get_category] (0x0200): Category is set to 'all'.
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule
[allow_all]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_get_category] (0x0200): Category is set to 'all'.
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule
[allow_all]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_eval_user_element] (0x1000): [2] groups for [tuser2]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_eval_user_element] (0x1000): Added group [ipausers] for user
[tuser2]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule
[allow_all]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success)
[Success]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Sending result
[0][server.domain.com]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Sent result [0][server.domain.com]
On Mon, Aug 25, 2014 at 8:11 AM, Jakub Hrozek <jhrozek at redhat.com> wrote:
> On Mon, Aug 25, 2014 at 06:51:27AM -0400, Megan . wrote:
>> Good Morning,
>>
>> I'm very new to freeIPA. I'm running centOS 6.5 with freeIPA v3
>>
>> I have the freeIPA server up but i'm working on getting SUDO
>> configured. Currently i'm having problems getting sudo commands to
>> work on the client. I'm a bit unclear if i have everything configured
>> correctly. The only thing that I can figure out might be an issue, is
>> when i try the sudo command i see a filter search with
>> objectclass=sudoRule but when i check the ldap server it has
>
> These two searches are unrelated. The sudoRule objectlass is what we use
> internally in sssd cache. On the LDAP side, sudoRole is used.
>
> In general, only the [domain] process works with LDAP data, all others
> (nss, pam, sudo, ...) work with cached data that might look totally
> different.
>
>> objectclass=sudoRole, so there are no results.
>>
>> Any ideas? Thank you in advance for any advice.
>>
>
> Can you put debug_level into the domain section as well and increase the
> debug_level of both to 7?
>
>>
>>
>> [tuser2 at map1 ~]$ sudo /sbin/iptables -L
>> Enter RSA PIN+token:
>> tuser2 is not allowed to run sudo on map1. This incident will be reported.
>>
>>
>> CLIENT:
>>
>> yum installed libsss_sudo
>>
>> I added "nisdomainname dir1.server.example.com" to /etc/rc.d/rc.local
>>
>> **still not sure what this is for **
>> Created a sudo user on ldap server
>> ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D "cn=Directory
>> Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com
>> **
>
> The config file looks good to me.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list