[Freeipa-users] sudo with freeIPA
Lukas Slebodnik
lslebodn at redhat.com
Tue Aug 26 06:34:51 UTC 2014
On (25/08/14 08:33), Megan . wrote:
>ok. Changed debug_level to 7. I already it in the domain section (first line).
>
>
>
>Not sure if this makes a difference
>
>[root at map1 pam.d]# cat system-auth
>#%PAM-1.0
># This file is auto-generated.
># User changes will be destroyed the next time authconfig is run.
>auth required pam_env.so
>auth required pam_tally2.so deny=5
>auth sufficient pam_unix.so nullok try_first_pass
>auth requisite pam_succeed_if.so uid >= 500 quiet
>auth sufficient pam_sss.so use_first_pass
>auth required pam_deny.so
>
>account required pam_unix.so broken_shadow
>account sufficient pam_succeed_if.so uid < 500 quiet
>account [default=bad success=ok user_unknown=ignore] pam_sss.so
>account required pam_permit.so
>
>password requisite pam_cracklib.so try_first_pass retry=3
>minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
>password sufficient pam_unix.so sha512 shadow nullok
>try_first_pass use_authtok
>password sufficient pam_sss.so use_authtok
>password required pam_deny.so
>
>session optional pam_keyinit.so revoke
>session required pam_limits.so
>session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0077
>session [success=1 default=ignore] pam_succeed_if.so service in
>crond quiet use_uid
>session required pam_unix.so
>session optional pam_sss.so
>
>
>from sssd_server.log
>
>
>
>(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
>[be_get_subdomains] (0x0400): Got get subdomains [not forced][]
>
>(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
>[be_get_subdomains] (0x0400): Cannot proceed, provider is offline.
>
>(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
>[be_get_subdomains] (0x1000): Request processed. Returned
>1,11,Provider is offline
>
>(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
>[be_get_account_info] (0x0100): Got request for
>[4098][1][idnumber=1079600005]
>
>(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
>[be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast
>reply - offline
SSSD was in offline mode, sudo rules were not downloaded yet.
This is a reason why sudo doesn't work for you.
>
>(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
>[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
>
>(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
>[get_port_status] (0x1000): Port status of port 0 for server '(no
>name)' is 'neutral'
>
>(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
>[resolve_srv_send] (0x0200): The status of SRV lookup is neutral
>
>(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
>[resolve_srv_send] (0x0400): SRV resolution of service 'IPA'. Will use
>DNS discovery domain 'server.domain.com'
>
>(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
>[resolve_srv_cont] (0x0100): Searching for servers via SRV query
>'_ldap._tcp.server.domain.com'
>
>(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
>[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
>'_ldap._tcp.server.domain.com'
>
>(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
>[request_watch_destructor] (0x0400): Deleting request watch
>
>(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
>[resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
>
SSSD was not able reo resolv SRV records.
There are two explanations:
a) you did not install ipa server wit dns (ipaserver-install --setup-dns)
b) you don't have ip addres of IPA server in /etc/resolv.conf
If you fix this problem, sudo should work.
You can test resolving SRV records from command line
dig SRV _ldap._tcp.server.domain.com
LS
More information about the Freeipa-users
mailing list