[Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0
Chamambo Martin
chamambom at afri-com.net
Tue Apr 7 11:55:43 UTC 2015
Thanx Jakub for pointing me to the right direction .This is what I have now
and I have increased the debug level during troubleshooting
[domain/ai.co.zw]
debug_level=3
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ai.co.zw
id_provider = ipa
sudo_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ironhide.ai.co.zw
chpass_provider = ipa
ipa_server = _srv_, cyclops.ai.co.zw
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = ai.co.zw
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
Error messages from /var/log/sssd/sssd_ai.co.zw when debug level is set at 4
[root at ironhide ~]# tail -f /var/log/sssd/sssd_ai.co.zw.log
(Tue Apr 7 13:53:42 2015) [sssd[be[ai.co.zw]]] [set_server_common_status]
(0x0100): Marking server 'cyclops.ai.co.zw' as 'working'
(Tue Apr 7 13:53:42 2015) [sssd[be[ai.co.zw]]] [be_run_online_cb] (0x0080):
Going online. Running callbacks.
(Tue Apr 7 13:53:42 2015) [sssd[be[ai.co.zw]]] [sysdb_range_create]
(0x0040): Invalid range, skipping. Expected that either the secondary base
RID or the SID of the trusted domain is set, but not both or none of them.
(Tue Apr 7 13:53:42 2015) [sssd[be[ai.co.zw]]] [sysdb_range_create]
(0x0040): Invalid range, skipping. Expected that either the secondary base
RID or the SID of the trusted domain is set, but not both or none of them.
(Tue Apr 7 13:53:42 2015) [sssd[be[ai.co.zw]]]
[ipa_subdomains_handler_master_done] (0x0020): Master domain record not
found!
(Tue Apr 7 13:53:42 2015) [sssd[be[ai.co.zw]]]
[ipa_subdomains_handler_master_done] (0x0020): Master domain record not
found!
(Tue Apr 7 13:53:43 2015) [sssd[be[ai.co.zw]]] [be_get_account_info]
(0x0100): Got request for [4099][1][name=postfix]
(Tue Apr 7 13:53:43 2015) [sssd[be[ai.co.zw]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain
SID from [(null)]
(Tue Apr 7 13:53:43 2015) [sssd[be[ai.co.zw]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain
SID from [(null)]
(Tue Apr 7 13:53:43 2015) [sssd[be[ai.co.zw]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Tue Apr 7 13:53:58 2015) [sssd[be[ai.co.zw]]] [be_get_account_info]
(0x0100): Got request for [4099][1][name=postfix]
(Tue Apr 7 13:53:58 2015) [sssd[be[ai.co.zw]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain
SID from [(null)]
(Tue Apr 7 13:53:58 2015) [sssd[be[ai.co.zw]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain
SID from [(null)]
(Tue Apr 7 13:53:58 2015) [sssd[be[ai.co.zw]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [be_get_account_info]
(0x0100): Got request for [3][1][name=admin]
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain
SID from [(null)]
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain
SID from [(null)]
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [sdap_attrs_get_sid_str]
(0x0080): No [objectSIDString] attribute while id-mapping. [0][Success]
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain
SID from [(null)]
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain
SID from [(null)]
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [sdap_attrs_get_sid_str]
(0x0080): No [objectSIDString] attribute while id-mapping. [0][Success]
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain
SID from [(null)]
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [be_pam_handler] (0x0100):
Got request with the following data
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
command: PAM_AUTHENTICATE
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
domain: ai.co.zw
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
user: admin
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
service: sudo
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
tty: /dev/pts/1
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
ruser: admin
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
rhost:
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
authtok type: 1
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
newauthtok type: 0
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
priv: 0
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
cli_pid: 2377
(Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
(Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [fo_set_port_status]
(0x0100): Marking port 0 of server 'cyclops.ai.co.zw' as 'working'
(Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [set_server_common_status]
(0x0100): Marking server 'cyclops.ai.co.zw' as 'working'
(Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 0, <NULL>) [Success]
(Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(0x0100): Sending result [0][ai.co.zw]
(Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(0x0100): Sent result [0][ai.co.zw]
(Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [child_sig_handler]
(0x0100): child [2379] finished successfully.
(Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [be_pam_handler] (0x0100):
Got request with the following data
(Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
command: PAM_ACCT_MGMT
(Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
domain: ai.co.zw
(Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
user: admin
(Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
service: sudo
(Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
tty: /dev/pts/1
(Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
ruser: admin
(Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
rhost:
(Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
authtok type: 0
(Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
newauthtok type: 0
(Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
priv: 0
(Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100):
cli_pid: 2377
(Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_evaluate_rules]
(0x0080): Access granted by HBAC rule [allow_all]
(Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 0, <NULL>) [Success]
(Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 0, Success) [Success]
(Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(0x0100): Sending result [0][ai.co.zw]
(Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback]
(0x0100): Sent result [0][ai.co.zw]
^C
-----Original Message-----
From: Jakub Hrozek [mailto:jhrozek at redhat.com]
Sent: Tuesday, April 07, 2015 12:58 PM
To: Chamambo Martin
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version:
4.1.0
On Tue, Apr 07, 2015 at 12:48:37PM +0200, Chamambo Martin wrote:
> Sorry for the confusion about that one ,that client I used to
> aunthenticate to a pure 389 directory server and I have since changed
> it to free ipa and below is the correct configuration.
>
> I managed to add the line sudo_provider = ipa and im getting the below
> error on my client
I don't see it added to the config.
If it's added, the next steps would be to add debug_level to the sudo and
domain sections. https://fedorahosted.org/sssd/wiki/Troubleshooting
has some notes on gathering the debug logs.
More information about the Freeipa-users
mailing list