[Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?
Tomas Simecek
simecek.tomas at gmail.com
Wed Jul 13 10:44:29 UTC 2016
Diky Jakube,
in domain log below I can see that rules were found properly:
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sudo] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sudo-i] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule [Unixari
na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule
[Unixari na test servery]
It also matches the rule and says "Access granted":
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_host_attrs_to_rule] (0x1000):
[fqdn=spcss-2t-www.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]
does not map to either a host or hostgroup. Skipping
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_host_attrs_to_rule] (0x2000): Added host [zp-cml-test.linuxdomain.cz]
to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_eval_user_element] (0x1000): [1] groups for [simecek.tomas at sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [
simecek.tomas at sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [Unixari na
test servery]
It also mentiones SELinux, but I know it is disabled.
Any idea what to check next please?
Full part of the log follows:
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info]
(0x0100): Got request for [3][1][name=simecek.tomas]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain]
(0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[ipa_get_subdom_acct_send] (0x0400): Initgroups requests are not handled by
the IPA provider but are resolved by the responder directly from the cache.
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback]
(0x0100): Request processed. Returned 3,95,Account info lookup failed
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain]
(0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler]
(0x0100): Got request with the following data
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): command: PAM_AUTHENTICATE
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): domain: sd-stc.cz
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): user: simecek.tomas at sd-stc.cz
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): service: sudo
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): tty: /dev/pts/0
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): ruser: simecek.tomas at sd-stc.cz
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): rhost:
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): authtok type: 1
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): priv: 0
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): cli_pid: 27305
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [switch_creds]
(0x0200): Switch user to [988604700][988604700].
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [switch_creds]
(0x0200): Switch user to [0][0].
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [get_server_status]
(0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working'
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [get_port_status]
(0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is
'working'
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6
seconds
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [get_server_status]
(0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working'
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[be_resolve_server_process] (0x0200): Found address for server
svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 601
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[ipa_resolve_callback] (0x0400): Constructed uri 'ldap://
svlxxipap.linuxdomain.cz'
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup]
(0x2000): Setting up signal handler up for pid [27310]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup]
(0x2000): Signal handler set up for pid [27310]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_get_subdomains]
(0x0400): Got get subdomains [forced][SD-STC]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[objectclass=ipaIDRange][cn=ranges,cn=etc,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSecondaryBaseRID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaNTTrustedDomainSID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaRangeType]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 21
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1f060],
ldap[0x1f03170]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaBaseID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaBaseRID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSecondaryBaseRID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaIDRangeSize]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaRangeType]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1f060],
ldap[0x1f03170]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaBaseID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaBaseRID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaIDRangeSize]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaNTTrustedDomainSID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaRangeType]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1f060],
ldap[0x1f03170]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[objectclass=ipaNTTrustedDomain][cn=trusts,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaNTTrustedDomainSID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 22
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f123f0],
ldap[0x1f03170]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f123f0],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaNTFlatName]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaNTTrustedDomainSID]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f123f0],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to
do.
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaNTSecurityIdentifier]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 23
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f60480],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f60480],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaNTFlatName]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaNTSecurityIdentifier]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f60480],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[get_subdomains_callback] (0x0400): Backend returned: (0, 0, <NULL>)
[Success]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler]
(0x1000): Waiting for child [27310].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler]
(0x0100): child [27310] finished successfully.
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[parse_krb5_child_response] (0x1000): child response [0][3][45].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[parse_krb5_child_response] (0x1000): child response [0][-1073741822][24].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[parse_krb5_child_response] (0x1000): child response [0][-1073741823][32].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[parse_krb5_child_response] (0x1000): TGT times are
[1468404320][1468404320][1468440320][1468490720].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[parse_krb5_child_response] (0x1000): child response [0][6][8].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status]
(0x0100): Marking port 0 of server 'svlxxipap.linuxdomain.cz' as 'working'
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[set_server_common_status] (0x0100): Marking server '
svlxxipap.linuxdomain.cz' as 'working'
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status]
(0x0400): Marking port 0 of duplicate server 'svlxxipap.linuxdomain.cz' as
'working'
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [switch_creds]
(0x0200): Switch user to [988604700][988604700].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sss_krb5_check_ccache_princ] (0x2000): Searching for [
simecek.tomas at SD-STC.CZ] in cache of type [FILE]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [switch_creds]
(0x0200): Switch user to [0][0].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[safe_remove_old_ccache_file] (0x0400): New and old ccache file are the
same, none will be deleted.
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info]
(0x0100): Got request for [3][1][name=simecek.tomas]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain]
(0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_get_subdom_acct_send] (0x0400): Initgroups requests are not handled by
the IPA provider but are resolved by the responder directly from the cache.
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback]
(0x0100): Request processed. Returned 3,95,Account info lookup failed
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain]
(0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler]
(0x0100): Got request with the following data
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): command: PAM_ACCT_MGMT
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): domain: sd-stc.cz
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): user: simecek.tomas at sd-stc.cz
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): service: sudo
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): tty: /dev/pts/0
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): ruser: simecek.tomas at sd-stc.cz
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): rhost:
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): authtok type: 0
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): priv: 0
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): cli_pid: 27305
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_access_send]
(0x0400): Performing access check for user [simecek.tomas at sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user
[simecek.tomas at sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectClass=ipaHost)(fqdn=zp-cml-test.linuxdomain.cz
))][cn=accounts,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 24
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [fqdn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [serverHostname]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSshPubKey]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaUniqueID]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x2000): Total count [0]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn=
zp-cml-test.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]
using OpenLDAP deref
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no
filter][fqdn=zp-cml-test.linuxdomain.cz
,cn=computers,cn=accounts,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 25
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_x_deref_parse_entry] (0x0400): Got deref control
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref]
(0x1000): Dereferenced DN:
ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref]
(0x1000): Dereferenced DN:
ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_x_deref_parse_entry] (0x0400): All deref results from a single
control parsed
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x2000): Total count [0]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_hbac_service_info_next] (0x0400): Sending request for next search
base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACService)]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectClass=ipaHBACService)][cn=hbac,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 26
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x2000): Total count [0]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search
base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACServiceGroup)]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 27
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [member]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [member]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x2000): Total count [0]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_hbac_rule_info_next] (0x0400): Sending request for next search base:
[cn=hbac,dc=linuxdomain,dc=cz][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=
zp-cml-test.linuxdomain.cz
,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=
zp-cml-test.linuxdomain.cz
,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))][cn=hbac,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 28
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaenabledflag]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [accessRuleType]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberUser]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberService]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberHost]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x2000): Total count [0]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_attrs_to_rule]
(0x1000): Processing rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_user_attrs_to_rule] (0x1000): Processing users for rule [Unixari na
test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users]
(0x2000): Search users with filter:
(&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users]
(0x2000): No such entry
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_groups]
(0x2000): Search groups with filter:
(&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_user_attrs_to_rule] (0x2000): Added POSIX group [grpunixadmins] to
rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sudo] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sudo-i] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule [Unixari
na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_host_attrs_to_rule] (0x1000):
[fqdn=spcss-2t-www.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]
does not map to either a host or hostgroup. Skipping
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_host_attrs_to_rule] (0x2000): Added host [zp-cml-test.linuxdomain.cz]
to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_eval_user_element] (0x1000): [1] groups for [simecek.tomas at sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [
simecek.tomas at sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [Unixari na
test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_get_selinux_send] (0x2000): Connection status is [online].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaMigrationEnabled]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSELinuxUserMapDefault]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSELinuxUserMapOrder]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 29
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaMigrationEnabled]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSELinuxUserMapDefault]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSELinuxUserMapOrder]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with
following parameters:
[2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [seeAlso]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUser]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaEnabledFlag]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 30
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f0d0b0],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f0d0b0],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x2000): Total count [0]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success)
[Success]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
Tomas Simecek
2016-07-13 11:50 GMT+02:00 Jakub Hrozek <jhrozek at redhat.com>:
> On Wed, Jul 13, 2016 at 11:18:21AM +0200, Tomas Simecek wrote:
> > Dear freeIPA gurus,
> > in previous thread (
> > https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html)
> you
> > helped me make sudo working for AD users on Centos 7.0 (
> > spcss-2t-www.linuxdomain.cz).
> > It was caused by not knowing sudo needs to be enabled in HBAC rules.
> > Now it works properly on Centos 7.0 client.
> > But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the
> > same sssd.conf setup.
> > Error message is always:
> >
> > [simecek.tomas at sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf
> > [sudo] password for simecek.tomas at sd-stc.cz:
> > simecek.tomas at sd-stc.cz is not allowed to run sudo on zp-cml-test. This
> > incident will be reported.
> >
> > Here are my HBAC rules, the second one should apply. It definitely
> applies
> > for Centos 7.0 server:
> > [root at svlxxipap ~]# ipa hbacrule-find
> > --------------------
> > 2 HBAC rules matched
> > --------------------
> > Rule name: allow_all
> > User category: all
> > Host category: all
> > Service category: all
> > Description: Allow all users to access any host from any host
> > Enabled: FALSE
> >
> > Rule name: Unixari na test servery
> > Enabled: TRUE
> > User Groups: grpunixadmins
> > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
> > Services: login, sshd, sudo, sudo-i, su, su-l
> > ----------------------------
> > Number of entries returned 2
> > ----------------------------
> >
> > This is my /etc/sssd/sssd.conf. It the same like on Centos 7.0 server,
> just
> > with proper server name of course:
> >
> > [root at zp-cml-test sssd]# cat /etc/sssd/sssd.conf
> > [domain/linuxdomain.cz]
> > cache_credentials = True
> > krb5_store_password_if_offline = True
> > ipa_domain = linuxdomain.cz
> > id_provider = ipa
> > krb5_realm = LINUXDOMAIN.CZ
> > auth_provider = ipa
> > access_provider = ipa
> > ipa_hostname = zp-cml-test.linuxdomain.cz
> > chpass_provider = ipa
> > ipa_server = svlxxipap.linuxdomain.cz
> > ldap_tls_cacert = /etc/ipa/ca.crt
> > override_shell = /bin/bash
> > sudo_provider = ldap
> > ldap_uri = ldap://svlxxipap.linuxdomain.cz
> > ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
> > ldap_sasl_mech = GSSAPI
> > #ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz at LINUXDOMAIN.CZ
> > ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
> > ldap_sasl_realm = LINUXDOMAIN.CZ
> > krb5_server = svlxxipap.linuxdomain.cz
> >
> > [sssd]
> > services = nss, sudo, pam, ssh
> > config_file_version = 2
> > debug_level = 0x3ff0
> > domains = linuxdomain.cz
> > [nss]
> > homedir_substring = /home
> >
> > [pam]
> > [sudo]
> > debug_level = 0x3ff0
> > [autofs]
> > [ssh]
> > [pac]
> > [ifp]
> >
> > This is output from sssd_sudo.log:
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [accept_fd_handler] (0x0400):
> > Client connected!
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
> > Received client version [1].
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
> > Offered version [1].
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
> > protocol version [1]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> > (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain '
> > sd-stc.cz', user is simecek.tomas
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> > (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain '
> > sd-stc.cz', user is simecek.tomas
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> > (0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz
> ]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> > Requesting info about [simecek.tomas at sd-stc.cz]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> > Returning info for user [simecek.tomas at sd-stc.cz]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
> > Retrieving default options for [simecek.tomas at sd-stc.cz] from [sd-stc.cz
> ]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> > (0x0400): No such entry
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> > (0x0200): Searching sysdb with
> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
> > simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain
> > users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=%
> > mfcr_mfg at sd-stc.cz)(sudoUser=%account at sd-stc.cz)(sudoUser=%
> wifi at sd-stc.cz
> >
> )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000):
> About
> > to get sudo rules from cache
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> > (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(name=defaults)))]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_from_cache]
> > (0x0400): Returning 0 rules for [<default options>@sd-stc.cz]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
> > protocol version [1]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> > (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain '
> > sd-stc.cz', user is simecek.tomas
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> > (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain '
> > sd-stc.cz', user is simecek.tomas
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> > (0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> > Requesting info about [simecek.tomas at sd-stc.cz]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> > Returning info for user [simecek.tomas at sd-stc.cz]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
> > Retrieving rules for [simecek.tomas at sd-stc.cz] from [sd-stc.cz]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> > (0x0400): No such entry
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> > (0x0200): Searching sysdb with
> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
> > simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain
> > users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=%
> > mfcr_mfg at sd-stc.cz)(sudoUser=%account at sd-stc.cz)(sudoUser=%
> wifi at sd-stc.cz
> >
> )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000):
> About
> > to get sudo rules from cache
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> > (0x0400): No such entry
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> > (0x0200): Searching sysdb with
> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=
> simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain
> > users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=%
> > mfcr_mfg at sd-stc.cz)(sudoUser=%account at sd-stc.cz)(sudoUser=%
> wifi at sd-stc.cz
> > )(sudoUser=%grpunixadmins)(sudoUser=+*)))]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_from_cache]
> > (0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz]
> > (Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_recv] (0x0200): Client
> > disconnected!
> > (Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_destructor] (0x2000):
> > Terminated client [0x1330300][18]
>
> When you look into the domain logs, do they show some rules being
> fetched?
>
> You can also install ldbsearch and then check what rules got stored in
> the cache:
> ldbsearch -H /var/lib/sss/db/cache_$domain.ldb
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160713/51b5e80d/attachment.htm>
More information about the Freeipa-users
mailing list