[Freeipa-users] Freeipa and sudo
Tomas Simecek
simecek.tomas at gmail.com
Wed Jul 6 13:22:34 UTC 2016
Hi Danila and other freeipa gurus,
sorry for my late answer, there is a bank holiday in CZ and I am off work
these two days.
Yes, /etc/nsswitch.conf is fine, see:
[root at spcss-2t-www ~]# cat /etc/nsswitch.conf |grep sudo
sudoers: files sss
I think it is set up as part of freeipa-client package.
I went through this guide:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
so I guess things are set right.
When I try to sudo as domain user, sssd_linuxdomain.cz.log says followng:
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.dataprovider.sudoHandler on path
/org/freedesktop/sssd/dataprovider
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_sudo_handler]
(0x0400): Entering be_sudo_handler()
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_handler]
(0x0400): Issuing a refresh of specific sudo rules
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with
base [ou=sudoers,dc=linuxdomain,dc=cz]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server]
(0x2000): Searching 10.1.123.103
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(&(objectClass=sudoRole)(|(cn=Pokusne)))(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=
spcss-2t-www.linuxdomain.cz
)(sudoHost=spcss-2t-www)(sudoHost=10.1.62.88)(sudoHost=
10.1.62.0/24)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][ou=sudoers,dc=linuxdomain,dc=cz
].
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAs]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 6
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 6 timeout 6
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f23893178c0], connected[1], ops[0x7f23893168e0],
ldap[0x7f2389333ff0]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN: [cn=Pokusne,ou=sudoers,dc=linuxdomain,dc=cz].
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [sudoCommand]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [sudoHost]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [sudoUser]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [entryUSN]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f23893178c0], connected[1], ops[0x7f23893168e0],
ldap[0x7f2389333ff0]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 6 finished
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base
[ou=sudoers,dc=linuxdomain,dc=cz]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_sudo_refresh_load_done] (0x0400): Received 1 rules
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_sudo_purge_byname] (0x2000): Deleting sudo rule Pokusne
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_save_sudorule]
(0x0400): Adding sudo rule Pokusne
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_sudo_refresh_load_done] (0x0400): Sudoers is successfuly stored in
cache
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_set_usn]
(0x0200): SUDO higher USN value: [16136]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[be_sudo_handler_reply] (0x0200): SUDO Backend returned: (0, 0, Success)
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f23893178c0], connected[1], ops[(nil)],
ldap[0x7f2389333ff0]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.dataprovider.getAccountInfo on path
/org/freedesktop/sssd/dataprovider
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info]
(0x0200): Got request for [0x1002][1][name=grpunixadmins]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain]
(0x0400): Changing request domain from [linuxdomain.cz] to [linuxdomain.cz]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_groups_next_base] (0x0400): Searching for groups with base
[cn=accounts,dc=linuxdomain,dc=cz]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server]
(0x2000): Searching 10.1.123.103
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(cn=grpunixadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=linuxdomain,dc=cz].
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaNTSecurityIdentifier]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 22
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 22 timeout 6
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23892e20d0],
ldap[0x7f2389352030]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz].
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [gidNumber]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [member]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaUniqueID]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaNTSecurityIdentifier]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [modifyTimestamp]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [entryUSN]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23892e20d0],
ldap[0x7f2389352030]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 22 finished
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_groups_process] (0x0400): Search for groups, returned 1 results.
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_nested_group_process_send] (0x2000): About to process group
[cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users]
(0x2000): Search users with filter:
(&(objectclass=user)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users]
(0x2000): No such entry
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_groups]
(0x2000): Search groups with filter:
(&(objectclass=group)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_nested_group_process_send] (0x2000): Looking up 1/1 members of group
[cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_nested_group_process_send] (0x2000): Members of group
[cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] will be
processed individually
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server]
(0x2000): Searching 10.1.123.103
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz].
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaNTSecurityIdentifier]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 23
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 23 timeout 6
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f2389358c20],
ldap[0x7f2389352030]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f2389358c20],
ldap[0x7f2389352030]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz].
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaUniqueID]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [modifyTimestamp]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [entryUSN]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f2389358c20],
ldap[0x7f2389352030]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 23 finished
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and
setting GID=0!
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_nested_group_process_send] (0x2000): About to process group
[cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_nested_group_recv] (0x0400): 0 users found in the hash table
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_nested_group_recv] (0x0400): 2 groups found in the hash table
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_primary_name] (0x0400): Processing object grpunixadmins
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group]
(0x0400): Processing group grpunixadmins
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group]
(0x2000): This is a posix group
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_attrs_add_ldap_attr] (0x2000): Adding original DN
[cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to attributes
of [grpunixadmins].
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp
[20160629090835Z] to attributes of [grpunixadmins].
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_process_ghost_members] (0x0400): The group has 1 members
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_process_ghost_members] (0x0400): Group has 1 members
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group]
(0x0400): Storing info for group grpunixadmins
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute.
[0][Success]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_primary_name] (0x0400): Processing object ad_admins_external
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group]
(0x0400): Processing group ad_admins_external
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group]
(0x2000): This is not a posix group
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_attrs_add_ldap_attr] (0x2000): Adding original DN
[cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to
attributes of [ad_admins_external].
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp
[20160629090835Z] to attributes of [ad_admins_external].
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_process_ghost_members] (0x0400): The group has 0 members
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_process_ghost_members] (0x0400): Group has 0 members
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group]
(0x0400): Storing info for group ad_admins_external
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_primary_name] (0x0400): Processing object grpunixadmins
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem]
(0x0400): Processing group grpunixadmins
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem]
(0x0400): Adding member users to group [grpunixadmins]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_fill_memberships] (0x1000): member #0
(cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz):
[name=ad_admins_external,cn=groups,cn=linuxdomain.cz,cn=sysdb]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_primary_name] (0x0400): Processing object ad_admins_external
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem]
(0x0400): Processing group ad_admins_external
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem]
(0x0400): Failed to get group sid
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem]
(0x0400): No members for group [ad_admins_external]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_done]
(0x2000): No external members, done(Wed Jul 6 15:19:54 2016) [sssd[be[
linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:linuxdomain.cz:1f46c9d8-3c33-11e6-9653-005056961bfa))][cn=Default
Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz].
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 24
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 24 timeout 60
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23892e20d0],
ldap[0x7f2389352030]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23892e20d0],
ldap[0x7f2389352030]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 24 finished
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success (Success)
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[(nil)],
ldap[0x7f2389352030]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.dataprovider.getAccountInfo on path
/org/freedesktop/sssd/dataprovider
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info]
(0x0200): Got request for [0x3][1][name=simecek.tomas]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain]
(0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server]
(0x2000): Searching 10.1.123.103
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust
View,cn=views,cn=accounts,dc=linuxdomain,dc=cz].
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 25
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 25 timeout 60
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893168e0],
ldap[0x7f2389352030]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 25 finished
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send]
(0x0400): Executing extended operation
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send]
(0x2000): ldap_extended_operation sent, msgid = 26
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 26 timeout 6
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893290a0],
ldap[0x7f2389352030]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893290a0],
ldap[0x7f2389352030]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done]
(0x0400): ldap_extended_operation result: Success(0), (null).
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 26 finished
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_search_by_name] (0x0400): No such entry
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send]
(0x0400): Executing extended operation
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send]
(0x2000): ldap_extended_operation sent, msgid = 27
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 27 timeout 6
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893290a0],
ldap[0x7f2389352030]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893290a0],
ldap[0x7f2389352030]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done]
(0x0400): ldap_extended_operation result: Success(0), (null).
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 27 finished
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[ipa_s2n_save_objects] (0x2000): Updating memberships for
simecek.tomas at sd-stc.cz
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
object](32)[ldb_wait: No such object (32)]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_update_members_ex] (0x0020): Could not add member [
simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz
,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[ipa_s2n_save_objects] (0x2000): Updating memberships for
simecek.tomas at sd-stc.cz
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
object](32)[ldb_wait: No such object (32)]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_update_members_ex] (0x0020): Could not add member [
simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz
,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success (Success)
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[(nil)],
ldap[0x7f2389352030]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.dataprovider.pamHandler on path
/org/freedesktop/sssd/dataprovider
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain]
(0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler]
(0x0100): Got request with the following data
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): command: SSS_PAM_PREAUTH
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): domain: sd-stc.cz
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): user: simecek.tomas at sd-stc.cz
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): service: sudo
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): tty: /dev/pts/0
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): ruser: simecek.tomas at sd-stc.cz
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): rhost:
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): authtok type: 0
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): priv: 0
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): cli_pid: 32185
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): logon name: not set
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[krb5_auth_queue_send] (0x1000): Wait queue of user [simecek.tomas at sd-stc.cz]
is empty, running request [0x7f2389359480] immediately.
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [get_server_status]
(0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working'
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [get_port_status]
(0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is
'working'
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6
seconds
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [get_server_status]
(0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working'
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[be_resolve_server_process] (0x0200): Found address for server
svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1199
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup]
(0x2000): Setting up signal handler up for pid [32186]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup]
(0x2000): Signal handler set up for pid [32186]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status]
(0x0100): Marking port 0 of server 'svlxxipap.linuxdomain.cz' as 'working'
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[set_server_common_status] (0x0100): Marking server '
svlxxipap.linuxdomain.cz' as 'working'
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status]
(0x0400): Marking port 0 of duplicate server 'svlxxipap.linuxdomain.cz' as
'working'
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[krb5_auth_store_creds] (0x0010): unsupported PAM command [249].
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[krb5_auth_store_creds] (0x0010): password not available, offline auth may
not work.
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue]
(0x1000): Wait queue for user [simecek.tomas at sd-stc.cz] is empty.
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f2389359480]
done.
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success (Success)]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz]
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler]
(0x1000): Waiting for child [32186].
(Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler]
(0x0100): child [32186] finished successfully.
I'll appreciate any other hints if you have some.
Thanks,
Tomas Simecek
2016-07-05 15:58 GMT+02:00 Danila Ladner <ladner.danila at gmail.com>:
> What about /etc/nsswitch.conf?
> Does it have "sudo: files sss"?
>
> On Mon, Jul 4, 2016 at 3:50 AM, Tomas Simecek <simecek.tomas at gmail.com>
> wrote:
>
>> Dear freeipa users/admins,
>> I'm trying to implement freeipa in our company, so that our Unix admins
>> can authenticate on Linux servers using their Windows AD account.
>> Following this guide
>> https://www.freeipa.org/page/Active_Directory_trust_setup it seems to
>> work well, they can login without problems.
>> What I cannot make working is sudo from their AD accounts on Linux.
>>
>> No matter what I try, it is still:
>>
>> sudo systemctl restart httpd
>> [sudo] password for simecek.tomas at sd-stc.cz:
>> Sorry, try again.
>>
>> Here's our setup:
>> Freeipa server: CentOS Linux release 7.2.1511 (Core),
>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>> Freeipa client: the same
>>
>> AD domain name: sd-stc.cz
>> IPA domain: linuxdomain.cz
>>
>> When digging in logs and googling, I realized that the problem on client
>> side could be:
>>
>> [root at spcss-2t-www ~]# kinit -k
>> kinit: Cannot determine realm for host (principal host/spcss-2t-www@)
>>
>> But this seems to work:
>> [root at spcss-2t-www ~]# kinit simecek.tomas at SD-STC.CZ
>> Password for simecek.tomas at SD-STC.CZ:
>> [root at spcss-2t-www ~]# klist
>> Default principal: simecek.tomas at SD-STC.CZ
>>
>> Valid starting Expires Service principal
>> 07/04/2016 09:36:26 07/04/2016 19:36:26 krbtgt/SD-STC.CZ at SD-STC.CZ
>> renew until 07/05/2016 09:36:23
>>
>> My /etc/sssd/sssd.conf:
>> [domain/linuxdomain.cz]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = linuxdomain.cz
>> krb5_realm = LINUXDOMAIN.CZ
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = spcss-2t-www.linuxdomain.cz
>> chpass_provider = ipa
>> ipa_server = svlxxipap.linuxdomain.cz
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> override_shell = /bin/bash
>> sudo_provider = ldap
>> ldap_uri = ldap://svlxxipap.linuxdomain.cz
>> ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
>> ldap_sasl_mech = GSSAPI
>> ldap_sasl_authid = host/spcss-2t-www.linuxdomain.cz at LINUXDOMAIN.CZ
>> ldap_sasl_realm = LINUXDOMAIN.CZ
>> krb5_server = svlxxipap.linuxdomain.cz
>>
>> [sssd]
>> services = nss, sudo, pam, ssh
>> config_file_version = 2
>>
>> domains = linuxdomain.cz
>> [nss]
>> homedir_substring = /home
>> ....
>>
>> My /etc/krb5.conf:
>> #File modified by ipa-client-install
>>
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>
>> [libdefaults]
>> default_realm = LINUXDOMAIN.CZ
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> rdns = false
>> ticket_lifetime = 24h
>> forwardable = yes
>> udp_preference_limit = 0
>> default_ccache_name = KEYRING:persistent:%{uid}
>>
>>
>> [realms]
>> LINUXDOMAIN.CZ = {
>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>> }
>>
>>
>> [domain_realm]
>> .linuxdomain.cz = LINUXDOMAIN.CZ
>> linuxdomain.cz = LINUXDOMAIN.CZ
>>
>> Would you please suggest which way to investigate?
>>
>> Thanks
>>
>> Tomas Simecek
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160706/dd7c70f2/attachment.htm>
More information about the Freeipa-users
mailing list