[Freeipa-users] sudo with freeIPA
William Graboyes
wgraboyes at cenic.org
Mon Aug 25 21:54:24 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Megan,
I had the same problem with CENTOS 6.5 and free-ipa. I did a ton of
searching, and IIRC the conclusion was a bug in that version of sssd, I
don't remember all of the details, however I do remember the work
around.
Create a system account (in this case I called it sudo).
Create or edit the following file.
/etc/sudo-ldap.conf
## BINDDN DN
## The BINDDN parameter specifies the identity, in the form of a
Dis‐
## tinguished Name (DN), to use when performing LDAP operations. If
## not specified, LDAP operations are performed with an anonymous
## identity. By default, most LDAP servers will allow anonymous
## access.
##
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=domain,dc=com
## BINDPW secret
## The BINDPW parameter specifies the password to use when performing
## LDAP operations. This is typically used in conjunction with the
## BINDDN parameter.
##
bindpw ${obfusticated}
## SSL start_tls
## If the SSL parameter is set to start_tls, the LDAP server
connec‐
## tion is initiated normally and TLS encryption is begun before the
## bind credentials are sent. This has the advantage of not requiring
## a dedicated port for encrypted communications. This parameter is
## only supported by LDAP servers that honor the start_tls extension,
## such as the OpenLDAP and Tivoli Directory servers.
##
ssl start_tls
## TLS_CACERTFILE file name
## The path to a certificate authority bundle which contains the
cer‐
## tificates for all the Certificate Authorities the client knows to
## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only
sup‐
## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries
## use the same certificate database for CA and client certificates
## (see TLS_CERT).
##
tls_cacertfile /etc/ipa/ca.crt
## TLS_CHECKPEER on/true/yes/off/false/no
## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS
certifi‐
## cated to be verified. If the server's TLS certificate cannot be
## verified (usually because it is signed by an unknown certificate
## authority), sudo will be unable to connect to it. If TLS_CHECKPEER
## is disabled, no check is made. Note that disabling the check
cre‐
## ates an opportunity for man-in-the-middle attacks since the
## server's identity will not be authenticated. If possible, the CA's
## certificate should be installed locally so it can be verified.
## This option is not supported by the Tivoli Directory Server LDAP
## libraries.
tls_checkpeer yes
##
## URI ldap[s]://[hostname[:port]] ...
## Specifies a whitespace-delimited list of one or more
## URIs describing the LDAP server(s) to connect to.
##
uri ldap://freeipaserver1 ldap://freeipaserver2
##
## SUDOERS_BASE base
## The base DN to use when performing sudo LDAP queries.
## Multiple SUDOERS_BASE lines may be specified, in which
## case they are queried in the order specified.
##
sudoers_base ou=sudoers,dc=domain,dc=com
##
## BIND_TIMELIMIT seconds
## The BIND_TIMELIMIT parameter specifies the amount of
## time to wait while trying to connect to an LDAP server.
##
#bind_timelimit 30
##
## TIMELIMIT seconds
## The TIMELIMIT parameter specifies the amount of time
## to wait for a response to an LDAP query.
##
#timelimit 30
##
## SUDOERS_DEBUG debug_level
## This sets the debug level for sudo LDAP queries. Debugging
## information is printed to the standard error. A value of 1
## results in a moderate amount of debugging information.
## A value of 2 shows the results of the matches themselves.
##
sudoers_debug 0
And your nsswitch.conf change the sudoers line to:
sudoers: files ldap sss
On a side note the setting the nisdomain parameter in rc.local is a
hack at best. This should be set, on a Red Hat based system (RHEL,
CENTOS, etc), in /etc/sysconfig/network. And should look like
NISDOMAIN=your.domain.here.
The professionals may say otherwise on switching to ldap based
auth/sudo access, and I will learn something. At least this gets you
up and running until an actual solution is found. As I stated earlier,
I believe I had found a bug report on this, I am just having a hard
time finding it again.
Thanks,
Bill
On Mon Aug 25 05:33:51 2014, Megan . wrote:
> ok. Changed debug_level to 7. I already it in the domain section (first line).
>
>
>
> Not sure if this makes a difference
>
> [root at map1 pam.d]# cat system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth required pam_tally2.so deny=5
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_sss.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
> password sufficient pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0077
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session optional pam_sss.so
>
>
>
>
>
> from sssd_sudo.log
>
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [accept_fd_handler] (0x0400):
> Client connected!
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_cmd_get_version]
> (0x0200): Received client version [1].
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_cmd_get_version]
> (0x0200): Offered version [1].
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'tuser2' matched without domain, user is tuser2
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): using default domain [(null)]
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'tuser2' matched without domain, user is tuser2
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): using default domain [(null)]
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> (0x0200): Requesting default options for [tuser2] from [<ALL>]
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> Requesting info about [tuser2 at server.domain.com]
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> Returning info for user [tuser2 at server.domain.com]
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
> Retrieving default options for [tuser2] from [server.domain.com]
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408969900)))]
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(name=defaults)))]
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]]
> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
> [<default options>@server.domain.com]
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'tuser2' matched without domain, user is tuser2
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): using default domain [(null)]
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'tuser2' matched without domain, user is tuser2
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): using default domain [(null)]
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> (0x0200): Requesting rules for [tuser2] from [<ALL>]
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> Requesting info about [tuser2 at server.domain.com]
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> Returning info for user [tuser2 at server.domain.com]
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
> Retrieving rules for [tuser2] from [server.domain.com]
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408969900)))]
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*)))]
> (Mon Aug 25 12:31:40 2014) [sssd[sudo]]
> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
> [tuser2 at server.domain.com]
> (Mon Aug 25 12:31:42 2014) [sssd[sudo]] [client_recv] (0x0200): Client
> disconnected!
>
>
>
>
>
>
>
>
> from sssd_server.log
>
>
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [be_get_subdomains] (0x0400): Got get subdomains [not forced][]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [be_get_subdomains] (0x0400): Cannot proceed, provider is offline.
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [be_get_subdomains] (0x1000): Request processed. Returned
> 1,11,Provider is offline
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [be_get_account_info] (0x0100): Got request for
> [4098][1][idnumber=1079600005]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast
> reply - offline
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [get_port_status] (0x1000): Port status of port 0 for server '(no
> name)' is 'neutral'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [resolve_srv_send] (0x0200): The status of SRV lookup is neutral
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [resolve_srv_send] (0x0400): SRV resolution of service 'IPA'. Will use
> DNS discovery domain 'server.domain.com'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [resolve_srv_cont] (0x0100): Searching for servers via SRV query
> '_ldap._tcp.server.domain.com'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
> '_ldap._tcp.server.domain.com'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [request_watch_destructor] (0x0400): Deleting request watch
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as
> 'not working'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as
> 'not resolved'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV
> lookup meta-server), resolver returned (5)
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [be_resolve_server_process] (0x1000): Trying with the next one!
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [get_server_status] (0x1000): Status of server
> 'dir1.server.domain.com' is 'name resolved'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [get_port_status] (0x1000): Port status of port 0 for server
> 'dir1.server.domain.com' is 'neutral'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [get_server_status] (0x1000): Status of server
> 'dir1.server.domain.com' is 'name resolved'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [be_resolve_server_process] (0x1000): Saving the first resolved server
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [be_resolve_server_process] (0x0200): Found address for server
> dir1.server.domain.com: [10.10.26.148] TTL 7200
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [ipa_resolve_callback] (0x0400): Constructed uri
> 'ldap://dir1.server.domain.com'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for
> connecting
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
> [ldap://dir1.server.domain.com:389/??base] with fd [25].
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(objectclass=*)][].
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [namingContexts]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [supportedControl]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [supportedExtension]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [supportedFeatures]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [supportedLDAPVersion]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [supportedSASLMechanisms]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [domainControllerFunctionality]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [defaultNamingContext]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [highestCommittedUSN]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
> errmsg set
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_kinit_send] (0x0400): Attempting kinit (default,
> host/map1.server.domain.com, server.domain.com, 86400)
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service IPA
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [get_server_status] (0x1000): Status of server
> 'dir1.server.domain.com' is 'name resolved'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [get_server_status] (0x1000): Status of server
> 'dir1.server.domain.com' is 'name resolved'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [be_resolve_server_process] (0x1000): Saving the first resolved server
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [be_resolve_server_process] (0x0200): Found address for server
> dir1.server.domain.com: [10.10.26.148] TTL 7200
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get
> TGT...
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [create_tgt_req_send_buffer] (0x1000): buffer size: 72
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt
> child
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [write_pipe_handler] (0x0400): All data has been sent!
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [read_pipe_handler] (0x0400): EOF received, client finished
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_tgt_recv] (0x0400): Child responded: 0
> [FILE:/var/lib/sss/db/ccache_server.domain.com], expired on
> [1409056143]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_cli_auth_step] (0x0100): expire timeout is 900
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_cli_auth_step] (0x1000): the connection will expire at
> 1408970643
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user:
> host/map1.server.domain.com
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [child_sig_handler] (0x1000): Waiting for child [17983].
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [child_sig_handler] (0x0100): child [17983] finished successfully.
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [fo_set_port_status] (0x0100): Marking port 0 of server
> 'dir1.server.domain.com' as 'working'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [set_server_common_status] (0x0100): Marking server
> 'dir1.server.domain.com' as 'working'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_groups_next_base] (0x0400): Searching for groups with base
> [cn=accounts,dc=server,dc=domain,dc=com]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(gidNumber=1079600005)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=server,dc=domain,dc=com].
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [modifyTimestamp]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [be_run_online_cb] (0x0080): Going online. Running callbacks.
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
> errmsg set
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_groups_process] (0x0400): Search for groups, returned 1
> results.
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_has_deref_support] (0x0400): The server supports deref method
> OpenLDAP
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_save_group] (0x0400): Processing group tuser2
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_save_group] (0x1000): Original USN value is not available for
> [tuser2].
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_process_ghost_members] (0x0400): The group has 0 members
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_process_ghost_members] (0x0400): Group has 0 members
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_save_group] (0x0400): Storing info for group tuser2
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_save_grpmem] (0x1000): No members for group [tuser2]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_save_grpmem] (0x0400): Storing members for group tuser2
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at:
> 1408969743
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo
> rules
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [get_server_status] (0x1000): Status of server
> 'dir1.server.domain.com' is 'working'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [get_port_status] (0x1000): Port status of port 389 for server
> 'dir1.server.domain.com' is 'not working'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [get_port_status] (0x0100): Reseting the status of port 389 for server
> 'dir1.server.domain.com'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [get_server_status] (0x1000): Status of server
> 'dir1.server.domain.com' is 'working'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [be_resolve_server_process] (0x1000): Saving the first resolved server
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [be_resolve_server_process] (0x0200): Found address for server
> dir1.server.domain.com: [10.10.26.148] TTL 7200
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_uri_callback] (0x0400): Constructed uri
> 'ldap://dir1.server.domain.com'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for
> connecting
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
> [ldap://dir1.server.domain.com:389/??base] with fd [26].
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(objectclass=*)][].
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [namingContexts]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [supportedControl]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [supportedExtension]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [supportedFeatures]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [supportedLDAPVersion]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [supportedSASLMechanisms]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [domainControllerFunctionality]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [defaultNamingContext]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [highestCommittedUSN]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
> errmsg set
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_kinit_send] (0x0400): Attempting kinit (default,
> host/dir1.server.domain.com, server.domain.com, 86400)
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service
> KERBEROS
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [fo_resolve_service_send] (0x0100): Trying to resolve service
> 'KERBEROS'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [get_server_status] (0x1000): Status of server
> 'dir1.server.domain.com' is 'working'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [get_server_status] (0x1000): Status of server
> 'dir1.server.domain.com' is 'working'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [be_resolve_server_process] (0x1000): Saving the first resolved server
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [be_resolve_server_process] (0x0200): Found address for server
> dir1.server.domain.com: [10.10.26.148] TTL 7200
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get
> TGT...
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [create_tgt_req_send_buffer] (0x1000): buffer size: 72
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt
> child
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [write_pipe_handler] (0x0400): All data has been sent!
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [read_pipe_handler] (0x0400): EOF received, client finished
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Error writing to
> key table], expired on [0]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [5] result [4]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [fo_set_port_status] (0x0100): Marking port 389 of server
> 'dir1.server.domain.com' as 'not working'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [get_server_status] (0x1000): Status of server
> 'dir1.server.domain.com' is 'working'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [get_port_status] (0x1000): Port status of port 389 for server
> 'dir1.server.domain.com' is 'not working'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [fo_resolve_service_send] (0x0020): No available servers for service
> 'LDAP'
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [child_sig_handler] (0x1000): Waiting for child [17984].
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [child_sig_handler] (0x0100): child [17984] finished successfully.
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [be_resolve_server_done] (0x1000): Server resolution failed: 5
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline
> (5 [Input/output error])
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_sudo_periodical_first_refresh_done] (0x0040): Periodical full
> refresh of sudo rules failed [dp_error: 1] ([11]: Resource temporarily
> unavailable)
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_sudo_periodical_first_refresh_done] (0x0400): Data provider is
> offline. Scheduling another full refresh in 6 minutes.
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at:
> 1408970103
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at:
> 1408969743
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo
> rules
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_sudo_periodical_first_refresh_done] (0x0040): Periodical full
> refresh of sudo rules failed [dp_error: 1] ([11]: Resource temporarily
> unavailable)
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_sudo_periodical_first_refresh_done] (0x0400): Data provider is
> offline. Scheduling another full refresh in 8 minutes.
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at:
> 1408970223
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [objectclass=ipaNTTrustedDomain][cn=trusts,dc=server,dc=domain,dc=com].
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [ipaNTFlatName]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [ipaNTTrustedDomainSID]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
> errmsg set
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=server,dc=domain,dc=com].
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [ipaSecondaryBaseRID]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [ipaIDRangeSize]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [ipaNTTrustedDomainSID]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
> errmsg set
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sysdb_update_ranges] (0x0400): Adding range
> [server.domain.com_id_range].
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sysdb_range_create] (0x0040): Invalid range, expected that either the
> secondary base rid or the SID of the trusted domain is set, but not
> both or none of them.
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sysdb_range_create] (0x0400): Error: 22 (Invalid argument)
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [sysdb_update_ranges] (0x0040): sysdb_range_create failed.
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [ipa_subdomains_handler_ranges_done] (0x0040): sysdb_update_ranges
> failed.
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [delayed_online_authentication_callback] (0x0200): Backend is online,
> starting delayed online authentication.
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [remove_krb5_info_files] (0x0200): Could not remove
> [/var/lib/sss/pubconf/kpasswdinfo.server.domain.com], [2][No such file
> or directory]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [remove_krb5_info_files] (0x0200): Could not remove
> [/var/lib/sss/pubconf/kdcinfo.server.domain.com], [2][No such file or
> directory]
>
> (Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
> [remove_krb5_info_files] (0x0200): Could not remove
> [/var/lib/sss/pubconf/kpasswdinfo.server.domain.com], [2][No such file
> or directory]
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [be_get_account_info] (0x0100): Got request for [3][1][name=tuser2]
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [acctinfo_callback] (0x0100): Request processed. Returned 1,11,Offline
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [be_pam_handler] (0x0100): Got request with the following data
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): domain: server.domain.com
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): user: tuser2
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): service: sudo
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): tty: /dev/pts/1
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): ruser: tuser2
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): rhost:
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): authtok type: 1
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): authtok size: 23
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): newauthtok type: 0
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): newauthtok size: 0
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): priv: 0
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): cli_pid: 17982
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [cc_residual_is_used] (0x1000): User [1079600005] is still active,
> reusing ccache [/tmp/krb5cc_1079600005_Hfzpn4].
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [check_for_valid_tgt] (0x1000): TGT end time [1409049392].
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [check_for_valid_tgt] (0x0080): TGT is valid.
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [get_server_status] (0x1000): Status of server
> 'dir1.server.domain.com' is 'working'
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [get_port_status] (0x1000): Port status of port 0 for server
> 'dir1.server.domain.com' is 'working'
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [get_server_status] (0x1000): Status of server
> 'dir1.server.domain.com' is 'working'
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [be_resolve_server_process] (0x1000): Saving the first resolved server
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [be_resolve_server_process] (0x0200): Found address for server
> dir1.server.domain.com: [10.10.26.148] TTL 7200
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [ipa_resolve_callback] (0x0400): Constructed uri
> 'ldap://dir1.server.domain.com'
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [krb5_find_ccache_step] (0x0080): Saved ccache
> FILE:/tmp/krb5cc_1079600005_Hfzpn4 if of different type than ccache in
> configuration file, reusing the old ccache
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [sysdb_cache_auth] (0x0100): Hashes do match!
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [be_pam_handler_callback] (0x0100): Backend returned: (1, 9, <NULL>)
> [Provider is Offline (Authentication service cannot retrieve
> authentication info)]
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [be_pam_handler_callback] (0x0100): Sending result
> [9][server.domain.com]
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [be_pam_handler_callback] (0x0100): Sent result [9][server.domain.com]
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [be_pam_handler] (0x0100): Got request with the following data
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): command: PAM_ACCT_MGMT
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): domain: server.domain.com
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): user: tuser2
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): service: sudo
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): tty: /dev/pts/1
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): ruser: tuser2
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): rhost:
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): authtok type: 0
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): authtok size: 0
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): newauthtok type: 0
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): newauthtok size: 0
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): priv: 0
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [pam_print_data] (0x0100): cli_pid: 17982
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [sdap_access_send] (0x0400): Performing access check for user [tuser2]
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for
> user [tuser2]
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [hbac_attrs_to_rule] (0x1000): Processing rule [allow_all]
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [hbac_user_attrs_to_rule] (0x1000): Processing users for rule
> [allow_all]
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [hbac_get_category] (0x0200): Category is set to 'all'.
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for
> rule [allow_all]
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [hbac_get_category] (0x0200): Category is set to 'all'.
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule
> [allow_all]
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [hbac_get_category] (0x0200): Category is set to 'all'.
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule
> [allow_all]
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [hbac_eval_user_element] (0x1000): [2] groups for [tuser2]
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [hbac_eval_user_element] (0x1000): Added group [ipausers] for user
> [tuser2]
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule
> [allow_all]
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
> [Success]
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success)
> [Success]
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [be_pam_handler_callback] (0x0100): Sending result
> [0][server.domain.com]
>
> (Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
> [be_pam_handler_callback] (0x0100): Sent result [0][server.domain.com]
>
> On Mon, Aug 25, 2014 at 8:11 AM, Jakub Hrozek <jhrozek at redhat.com> wrote:
>> On Mon, Aug 25, 2014 at 06:51:27AM -0400, Megan . wrote:
>>> Good Morning,
>>>
>>> I'm very new to freeIPA. I'm running centOS 6.5 with freeIPA v3
>>>
>>> I have the freeIPA server up but i'm working on getting SUDO
>>> configured. Currently i'm having problems getting sudo commands to
>>> work on the client. I'm a bit unclear if i have everything configured
>>> correctly. The only thing that I can figure out might be an issue, is
>>> when i try the sudo command i see a filter search with
>>> objectclass=sudoRule but when i check the ldap server it has
>>
>> These two searches are unrelated. The sudoRule objectlass is what we use
>> internally in sssd cache. On the LDAP side, sudoRole is used.
>>
>> In general, only the [domain] process works with LDAP data, all others
>> (nss, pam, sudo, ...) work with cached data that might look totally
>> different.
>>
>>> objectclass=sudoRole, so there are no results.
>>>
>>> Any ideas? Thank you in advance for any advice.
>>>
>>
>> Can you put debug_level into the domain section as well and increase the
>> debug_level of both to 7?
>>
>>>
>>>
>>> [tuser2 at map1 ~]$ sudo /sbin/iptables -L
>>> Enter RSA PIN+token:
>>> tuser2 is not allowed to run sudo on map1. This incident will be reported.
>>>
>>>
>>> CLIENT:
>>>
>>> yum installed libsss_sudo
>>>
>>> I added "nisdomainname dir1.server.example.com" to /etc/rc.d/rc.local
>>>
>>> **still not sure what this is for **
>>> Created a sudo user on ldap server
>>> ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D "cn=Directory
>>> Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com
>>> **
>>
>> The config file looks good to me.
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCgAGBQJT+7CQAAoJEJFMz73A1+zrdHkP/Rn9S3Wl3pfqFQ94EvrXgoVd
v3zEgJvlcQJIV2cqByLYIJjGhk9rIco6qalr1CjE2YRFgbCuOCKZ9p/tQ91sNiIh
jI3NX1Co2lxUVPuIWXjXT2Q0TzrU0Dw0nz+NWgr3Ucb5J5O42Jp15itctoyC585e
REmbzkxKKgMb8Db38+xTWBGLs96uC6TkAcd1gqS03227dCxWSoNkdxAzwk1AM0ug
KE2g+drPGxTCQbHHhbXfGtMMR/rM35H/l7J0sIu9IU/zPeKpJ0kIgp6z4X/sFMEm
ZMce/zSpo67zHs5PLjtjAb5GUCNlM5r80faVcTW0A/s4Vm9ILNFszjvX4BKxdPU0
vqk5AU+m3SfY08h7cLZVV+i1hwmhJJ3yZf/Jzm1X6Ia6UjzQLQjQtbJ1tpKz/hAn
EBipEEuoJpupYzOb/YnpXvIuOLCh7ovPzQ0t8e3WOKDMY0v8MFfiB9SsU4rC66Z1
WkoOUKLL+XLWKTPwAxe0SZs+4rLSSZRvoGpe7R63I/YjjYNVeB7KpHuNEdwmRZpi
Z58Xv5Foj1niggr+cqPp6cf5nBo+vM0AnWkGW/7pgaEU0slHPMDc6VPSesqPVGOk
KxiCeXwyaP2DTEEpadwA+dZW8VGoGaDoEq3mSLAlx3F9wRZvosaoL6d4vzO+Ezs+
nQURME5XMxJ8nuxr4jwX
=dZHC
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list