[Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?
Justin Stephenson
jstephen at redhat.com
Wed Jul 13 14:24:15 UTC 2016
/Diky Jakube,//
/
/in domain log below I can see that rules were found properly://
//(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz
<http://linuxdomain.cz>//]]] [hbac_service_attrs_to_rule] (0x1000):
Processing PAM services for rule [Unixari na test servery]//
//(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz
<http://linuxdomain.cz>//]]] [hbac_service_attrs_to_rule] (0x2000):
Added service [login] to rule [Unixari na test servery]//
//(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz
<http://linuxdomain.cz>//]]] [hbac_service_attrs_to_rule] (0x2000):
Added service [sshd] to rule [Unixari na test servery]//
//(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz
<http://linuxdomain.cz>//]]] [hbac_service_attrs_to_rule] (0x2000):
Added service [sudo] to rule [Unixari na test servery]//
//(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz
<http://linuxdomain.cz>//]]] [hbac_service_attrs_to_rule] (0x2000):
Added service [sudo-i] to rule [Unixari na test servery]//
//(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz
<http://linuxdomain.cz>//]]] [hbac_service_attrs_to_rule] (0x2000):
Added service [su] to rule [Unixari na test servery]//
//(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz
<http://linuxdomain.cz>//]]] [hbac_service_attrs_to_rule] (0x2000):
Added service [su-l] to rule [Unixari na test servery]//
//(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz
<http://linuxdomain.cz>//]]] [hbac_thost_attrs_to_rule] (0x1000):
Processing target hosts for rule [Unixari na test servery]//
/
/On 07/13/2016 06:44 AM, Tomas Simecek wrote:
/
These logs are related to HBAC rules, not sudo rule retrieval from IPA.
In the domain log you want to look for log messages similar to:
[sdap_sudo_refresh_load_done] (0x0400): Received $num-rules rules
[sssd[be[LDAP.PB]]] [sysdb_save_sudorule] (0x0400): Adding sudo rule $rule-name**
[sdap_sudo_refresh_load_done] (0x0400): Sudoers is successfuly stored in cache
You can check if the expected sudo rule is stored in the sssd cache file
with the following command:
# ldbsearch -H /var/lib/sss/db/cache_<domain>.ldb objectclass=sudorule
If it is not there, then likely the problem is in the domain log because
sssd is not retrieving the sudo rule from the IPA server correctly
Kind regards,
Justin Stephenson
> Diky Jakube,
> in domain log below I can see that rules were found properly:
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_service_attrs_to_rule] (0x1000):
> Processing PAM services for rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_service_attrs_to_rule] (0x2000):
> Added service [login] to rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_service_attrs_to_rule] (0x2000):
> Added service [sshd] to rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_service_attrs_to_rule] (0x2000):
> Added service [sudo] to rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_service_attrs_to_rule] (0x2000):
> Added service [sudo-i] to rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_service_attrs_to_rule] (0x2000):
> Added service [su] to rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_service_attrs_to_rule] (0x2000):
> Added service [su-l] to rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_thost_attrs_to_rule] (0x1000):
> Processing target hosts for rule [Unixari na test servery]
>
> It also matches the rule and says "Access granted":
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_host_attrs_to_rule] (0x1000):
> [fqdn=spcss-2t-www.linuxdomain.cz
> <http://spcss-2t-www.linuxdomain.cz>,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]
> does not map to either a host or hostgroup. Skipping
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_host_attrs_to_rule] (0x2000): Added
> host [zp-cml-test.linuxdomain.cz <http://zp-cml-test.linuxdomain.cz>]
> to rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_shost_attrs_to_rule] (0x0400):
> Processing source hosts for rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_shost_attrs_to_rule] (0x2000): Source
> hosts disabled, setting ALL
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_eval_user_element] (0x1000): [1]
> groups for [simecek.tomas at sd-stc.cz <mailto:simecek.tomas at sd-stc.cz>]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_eval_user_element] (0x1000): Added
> group [grpunixadmins] for user [simecek.tomas at sd-stc.cz
> <mailto:simecek.tomas at sd-stc.cz>]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [ipa_hbac_evaluate_rules] (0x0080): Access
> granted by HBAC rule [Unixari na test servery]
>
> It also mentiones SELinux, but I know it is disabled.
>
> Any idea what to check next please?
> Full part of the log follows:
>
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [be_get_account_info] (0x0100): Got request
> for [3][1][name=simecek.tomas]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [be_req_set_domain] (0x0400): Changing
> request domain from [linuxdomain.cz <http://linuxdomain.cz>] to
> [sd-stc.cz <http://sd-stc.cz>]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [ipa_get_subdom_acct_send] (0x0400):
> Initgroups requests are not handled by the IPA provider but are
> resolved by the responder directly from the cache.
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [acctinfo_callback] (0x0100): Request
> processed. Returned 3,95,Account info lookup failed
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sbus_get_sender_id_send] (0x2000): Not a
> sysbus message, quit
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [be_req_set_domain] (0x0400): Changing
> request domain from [linuxdomain.cz <http://linuxdomain.cz>] to
> [sd-stc.cz <http://sd-stc.cz>]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [be_pam_handler] (0x0100): Got request with
> the following data
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): command:
> PAM_AUTHENTICATE
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): domain:
> sd-stc.cz <http://sd-stc.cz>
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): user:
> simecek.tomas at sd-stc.cz <mailto:simecek.tomas at sd-stc.cz>
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): service: sudo
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): tty: /dev/pts/0
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): ruser:
> simecek.tomas at sd-stc.cz <mailto:simecek.tomas at sd-stc.cz>
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): rhost:
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): authtok type: 1
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): newauthtok type: 0
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): priv: 0
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): cli_pid: 27305
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [switch_creds] (0x0200): Switch user to
> [988604700][988604700].
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT
> not found or expired.
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [switch_creds] (0x0200): Switch user to [0][0].
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [fo_resolve_service_send] (0x0100): Trying
> to resolve service 'IPA'
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [get_server_status] (0x1000): Status of
> server 'svlxxipap.linuxdomain.cz <http://svlxxipap.linuxdomain.cz>' is
> 'working'
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [get_port_status] (0x1000): Port status of
> port 0 for server 'svlxxipap.linuxdomain.cz
> <http://svlxxipap.linuxdomain.cz>' is 'working'
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [fo_resolve_service_activate_timeout]
> (0x2000): Resolve timeout set to 6 seconds
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [get_server_status] (0x1000): Status of
> server 'svlxxipap.linuxdomain.cz <http://svlxxipap.linuxdomain.cz>' is
> 'working'
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [be_resolve_server_process] (0x1000):
> Saving the first resolved server
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [be_resolve_server_process] (0x0200): Found
> address for server svlxxipap.linuxdomain.cz
> <http://svlxxipap.linuxdomain.cz>: [10.1.123.103] TTL 601
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [ipa_resolve_callback] (0x0400):
> Constructed uri 'ldap://svlxxipap.linuxdomain.cz
> <http://svlxxipap.linuxdomain.cz>'
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [child_handler_setup] (0x2000): Setting up
> signal handler up for pid [27310]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [child_handler_setup] (0x2000): Signal
> handler set up for pid [27310]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [write_pipe_handler] (0x0400): All data has
> been sent!
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sbus_get_sender_id_send] (0x2000): Not a
> sysbus message, quit
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [be_get_subdomains] (0x0400): Got get
> subdomains [forced][SD-STC]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x0400):
> calling ldap_search_ext with
> [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=linuxdomain,dc=cz].
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [objectClass]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [cn]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaBaseID]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaBaseRID]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaSecondaryBaseRID]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaIDRangeSize]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaNTTrustedDomainSID]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaRangeType]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x2000):
> ldap_search_ext called, msgid = 21
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f1f060], ldap[0x1f03170]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectClass]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaBaseID]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaBaseRID]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaSecondaryBaseRID]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaIDRangeSize]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaRangeType]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f1f060], ldap[0x1f03170]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectClass]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaBaseID]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaBaseRID]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaIDRangeSize]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaNTTrustedDomainSID]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaRangeType]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f1f060], ldap[0x1f03170]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x0400):
> Search result: Success(0), no errmsg set
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x0400):
> calling ldap_search_ext with
> [objectclass=ipaNTTrustedDomain][cn=trusts,dc=linuxdomain,dc=cz].
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [cn]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaNTFlatName]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaNTTrustedDomainSID]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x2000):
> ldap_search_ext called, msgid = 22
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f123f0], ldap[0x1f03170]
> (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> ldap_result found nothing!
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f123f0], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaNTFlatName]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaNTTrustedDomainSID]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f123f0], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x0400):
> Search result: Success(0), no errmsg set
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [ipa_subdom_get_forest] (0x0400): 4th
> component is not 'trust', nothing to do.
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x0400):
> calling ldap_search_ext with
> [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=linuxdomain,dc=cz].
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaNTFlatName]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaNTSecurityIdentifier]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x2000):
> ldap_search_ext called, msgid = 23
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f60480], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> ldap_result found nothing!
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f60480], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaNTFlatName]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaNTSecurityIdentifier]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f60480], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x0400):
> Search result: Success(0), no errmsg set
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [get_subdomains_callback] (0x0400): Backend
> returned: (0, 0, <NULL>) [Success]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> ldap_result found nothing!
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [child_sig_handler] (0x1000): Waiting for
> child [27310].
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [child_sig_handler] (0x0100): child [27310]
> finished successfully.
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [read_pipe_handler] (0x0400): EOF received,
> client finished
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [parse_krb5_child_response] (0x1000): child
> response [0][3][45].
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [parse_krb5_child_response] (0x1000): child
> response [0][-1073741822][24].
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [parse_krb5_child_response] (0x1000): child
> response [0][-1073741823][32].
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [parse_krb5_child_response] (0x1000): TGT
> times are [1468404320][1468404320][1468440320][1468490720].
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [parse_krb5_child_response] (0x1000): child
> response [0][6][8].
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [fo_set_port_status] (0x0100): Marking port
> 0 of server 'svlxxipap.linuxdomain.cz
> <http://svlxxipap.linuxdomain.cz>' as 'working'
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [set_server_common_status] (0x0100):
> Marking server 'svlxxipap.linuxdomain.cz
> <http://svlxxipap.linuxdomain.cz>' as 'working'
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [fo_set_port_status] (0x0400): Marking port
> 0 of duplicate server 'svlxxipap.linuxdomain.cz
> <http://svlxxipap.linuxdomain.cz>' as 'working'
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [switch_creds] (0x0200): Switch user to
> [988604700][988604700].
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sss_krb5_check_ccache_princ] (0x2000):
> Searching for [simecek.tomas at SD-STC.CZ
> <mailto:simecek.tomas at SD-STC.CZ>] in cache of type [FILE]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [switch_creds] (0x0200): Switch user to [0][0].
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [safe_remove_old_ccache_file] (0x0400): New
> and old ccache file are the same, none will be deleted.
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [be_pam_handler_callback] (0x0100): Backend
> returned: (0, 0, <NULL>) [Success]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [be_pam_handler_callback] (0x0100): Sending
> result [0][sd-stc.cz <http://sd-stc.cz>]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [be_pam_handler_callback] (0x0100): Sent
> result [0][sd-stc.cz <http://sd-stc.cz>]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sbus_get_sender_id_send] (0x2000): Not a
> sysbus message, quit
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [be_get_account_info] (0x0100): Got request
> for [3][1][name=simecek.tomas]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [be_req_set_domain] (0x0400): Changing
> request domain from [linuxdomain.cz <http://linuxdomain.cz>] to
> [sd-stc.cz <http://sd-stc.cz>]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [ipa_get_subdom_acct_send] (0x0400):
> Initgroups requests are not handled by the IPA provider but are
> resolved by the responder directly from the cache.
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [acctinfo_callback] (0x0100): Request
> processed. Returned 3,95,Account info lookup failed
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sbus_get_sender_id_send] (0x2000): Not a
> sysbus message, quit
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [be_req_set_domain] (0x0400): Changing
> request domain from [linuxdomain.cz <http://linuxdomain.cz>] to
> [sd-stc.cz <http://sd-stc.cz>]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [be_pam_handler] (0x0100): Got request with
> the following data
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): command:
> PAM_ACCT_MGMT
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): domain:
> sd-stc.cz <http://sd-stc.cz>
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): user:
> simecek.tomas at sd-stc.cz <mailto:simecek.tomas at sd-stc.cz>
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): service: sudo
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): tty: /dev/pts/0
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): ruser:
> simecek.tomas at sd-stc.cz <mailto:simecek.tomas at sd-stc.cz>
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): rhost:
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): authtok type: 0
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): newauthtok type: 0
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): priv: 0
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [pam_print_data] (0x0100): cli_pid: 27305
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_access_send] (0x0400): Performing
> access check for user [simecek.tomas at sd-stc.cz
> <mailto:simecek.tomas at sd-stc.cz>]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_account_expired_rhds] (0x0400):
> Performing RHDS access check for user [simecek.tomas at sd-stc.cz
> <mailto:simecek.tomas at sd-stc.cz>]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x0400):
> calling ldap_search_ext with
> [(&(objectClass=ipaHost)(fqdn=zp-cml-test.linuxdomain.cz
> <http://zp-cml-test.linuxdomain.cz>))][cn=accounts,dc=linuxdomain,dc=cz].
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [objectClass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [fqdn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [serverHostname]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [memberOf]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaSshPubKey]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaUniqueID]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x2000):
> ldap_search_ext called, msgid = 24
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectClass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [fqdn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [serverHostname]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [memberOf]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaSshPubKey]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaUniqueID]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x0400):
> Search result: Success(0), no errmsg set
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x2000): Total
> count [0]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_has_deref_support] (0x0400): The
> server supports deref method OpenLDAP
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_deref_search_send] (0x2000): Server
> supports OpenLDAP deref
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_x_deref_search_send] (0x0400):
> Dereferencing entry [fqdn=zp-cml-test.linuxdomain.cz
> <http://zp-cml-test.linuxdomain.cz>,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]
> using OpenLDAP deref
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x0400):
> calling ldap_search_ext with [no
> filter][fqdn=zp-cml-test.linuxdomain.cz
> <http://zp-cml-test.linuxdomain.cz>,cn=computers,cn=accounts,dc=linuxdomain,dc=cz].
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [objectClass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [memberOf]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaUniqueID]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x2000):
> ldap_search_ext called, msgid = 25
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> ldap_result found nothing!
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_x_deref_parse_entry] (0x0400): Got
> deref control
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_deref] (0x1000): Dereferenced
> DN:
> ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_deref] (0x1000): Dereferenced
> DN:
> ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_x_deref_parse_entry] (0x0400): All
> deref results from a single control parsed
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x0400):
> Search result: Success(0), no errmsg set
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x2000): Total
> count [0]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [ipa_hostgroup_info_done] (0x0200): No host
> groups were dereferenced
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [ipa_hbac_service_info_next] (0x0400):
> Sending request for next search base:
> [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACService)]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x0400):
> calling ldap_search_ext with
> [(objectClass=ipaHBACService)][cn=hbac,dc=linuxdomain,dc=cz].
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [member]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [memberOf]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x2000):
> ldap_search_ext called, msgid = 26
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> ldap_result found nothing!
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [memberOf]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [memberOf]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [memberOf]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [memberOf]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [memberOf]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [memberOf]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [memberOf]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x0400):
> Search result: Success(0), no errmsg set
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x2000): Total
> count [0]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [ipa_hbac_servicegroup_info_next] (0x0400):
> Sending request for next search base:
> [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACServiceGroup)]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x0400):
> calling ldap_search_ext with
> [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linuxdomain,dc=cz].
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [member]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [memberOf]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x2000):
> ldap_search_ext called, msgid = 27
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> ldap_result found nothing!
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [member]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [member]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x0400):
> Search result: Success(0), no errmsg set
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x2000): Total
> count [0]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [ipa_hbac_rule_info_next] (0x0400): Sending
> request for next search base:
> [cn=hbac,dc=linuxdomain,dc=cz][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=zp-cml-test.linuxdomain.cz
> <http://zp-cml-test.linuxdomain.cz>,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x0400):
> calling ldap_search_ext with
> [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=zp-cml-test.linuxdomain.cz
> <http://zp-cml-test.linuxdomain.cz>,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))][cn=hbac,dc=linuxdomain,dc=cz].
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaenabledflag]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [accessRuleType]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [memberUser]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [userCategory]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [memberService]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [serviceCategory]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [sourceHost]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [sourceHostCategory]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [externalHost]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [memberHost]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [hostCategory]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x2000):
> ldap_search_ext called, msgid = 28
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> ldap_result found nothing!
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [objectclass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipauniqueid]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaenabledflag]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [accessRuleType]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [memberUser]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [memberService]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [memberHost]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x0400):
> Search result: Success(0), no errmsg set
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x2000): Total
> count [0]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_attrs_to_rule] (0x1000): Processing
> rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_user_attrs_to_rule] (0x1000):
> Processing users for rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sysdb_search_users] (0x2000): Search users
> with filter:
> (&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sysdb_search_users] (0x2000): No such entry
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sysdb_search_groups] (0x2000): Search
> groups with filter:
> (&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_user_attrs_to_rule] (0x2000): Added
> POSIX group [grpunixadmins] to rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_service_attrs_to_rule] (0x1000):
> Processing PAM services for rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_service_attrs_to_rule] (0x2000):
> Added service [login] to rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_service_attrs_to_rule] (0x2000):
> Added service [sshd] to rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_service_attrs_to_rule] (0x2000):
> Added service [sudo] to rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_service_attrs_to_rule] (0x2000):
> Added service [sudo-i] to rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_service_attrs_to_rule] (0x2000):
> Added service [su] to rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_service_attrs_to_rule] (0x2000):
> Added service [su-l] to rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_thost_attrs_to_rule] (0x1000):
> Processing target hosts for rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_host_attrs_to_rule] (0x1000):
> [fqdn=spcss-2t-www.linuxdomain.cz
> <http://spcss-2t-www.linuxdomain.cz>,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]
> does not map to either a host or hostgroup. Skipping
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_host_attrs_to_rule] (0x2000): Added
> host [zp-cml-test.linuxdomain.cz <http://zp-cml-test.linuxdomain.cz>]
> to rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_shost_attrs_to_rule] (0x0400):
> Processing source hosts for rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_shost_attrs_to_rule] (0x2000): Source
> hosts disabled, setting ALL
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_eval_user_element] (0x1000): [1]
> groups for [simecek.tomas at sd-stc.cz <mailto:simecek.tomas at sd-stc.cz>]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [hbac_eval_user_element] (0x1000): Added
> group [grpunixadmins] for user [simecek.tomas at sd-stc.cz
> <mailto:simecek.tomas at sd-stc.cz>]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [ipa_hbac_evaluate_rules] (0x0080): Access
> granted by HBAC rule [Unixari na test servery]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [be_pam_handler_callback] (0x0100): Backend
> returned: (0, 0, <NULL>) [Success]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> ldap_result found nothing!
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [ipa_get_selinux_send] (0x0400): Retrieving
> SELinux user mapping
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [ipa_get_selinux_send] (0x2000): Connection
> status is [online].
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x0400):
> calling ldap_search_ext with
> [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=linuxdomain,dc=cz].
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaMigrationEnabled]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaSELinuxUserMapDefault]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaSELinuxUserMapOrder]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x2000):
> ldap_search_ext called, msgid = 29
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaMigrationEnabled]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaSELinuxUserMapDefault]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
> sub-attributes for [ipaSELinuxUserMapOrder]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x0400):
> Search result: Success(0), no errmsg set
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [ipa_selinux_get_maps_next] (0x0400):
> Trying to fetch SELinux maps with following parameters:
> [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x0400):
> calling ldap_search_ext with
> [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz].
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [objectClass]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [cn]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [memberUser]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [memberHost]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [seeAlso]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaSELinuxUser]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaEnabledFlag]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [userCategory]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [hostCategory]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaUniqueID]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_step] (0x2000):
> ldap_search_ext called, msgid = 30
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f0d0b0], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> ldap_result found nothing!
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[0x1f0d0b0], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x0400):
> Search result: Success(0), no errmsg set
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x2000): Total
> count [0]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [ipa_selinux_get_maps_done] (0x0400): No
> SELinux user maps found!
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [be_pam_handler_callback] (0x0100): Backend
> returned: (0, 0, Success) [Success]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [be_pam_handler_callback] (0x0100): Sending
> result [0][sd-stc.cz <http://sd-stc.cz>]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [be_pam_handler_callback] (0x0100): Sent
> result [0][sd-stc.cz <http://sd-stc.cz>]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170]
> (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
> <http://linuxdomain.cz>]]] [sdap_process_result] (0x2000): Trace:
> ldap_result found nothing!
>
> Tomas Simecek
>
> 2016-07-13 11:50 GMT+02:00 Jakub Hrozek <jhrozek at redhat.com
> <mailto:jhrozek at redhat.com>>:
>
> On Wed, Jul 13, 2016 at 11:18:21AM +0200, Tomas Simecek wrote:
> > Dear freeIPA gurus,
> > in previous thread (
> >
> https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html)
> you
> > helped me make sudo working for AD users on Centos 7.0 (
> > spcss-2t-www.linuxdomain.cz <http://spcss-2t-www.linuxdomain.cz>).
> > It was caused by not knowing sudo needs to be enabled in HBAC rules.
> > Now it works properly on Centos 7.0 client.
> > But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz
> <http://zp-cml-test.linuxdomain.cz>) with the
> > same sssd.conf setup.
> > Error message is always:
> >
> > [simecek.tomas at sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf
> > [sudo] password for simecek.tomas at sd-stc.cz
> <mailto:simecek.tomas at sd-stc.cz>:
> > simecek.tomas at sd-stc.cz <mailto:simecek.tomas at sd-stc.cz> is not
> allowed to run sudo on zp-cml-test. This
> > incident will be reported.
> >
> > Here are my HBAC rules, the second one should apply. It
> definitely applies
> > for Centos 7.0 server:
> > [root at svlxxipap ~]# ipa hbacrule-find
> > --------------------
> > 2 HBAC rules matched
> > --------------------
> > Rule name: allow_all
> > User category: all
> > Host category: all
> > Service category: all
> > Description: Allow all users to access any host from any host
> > Enabled: FALSE
> >
> > Rule name: Unixari na test servery
> > Enabled: TRUE
> > User Groups: grpunixadmins
> > Hosts: spcss-2t-www.linuxdomain.cz
> <http://spcss-2t-www.linuxdomain.cz>, zp-cml-test.linuxdomain.cz
> <http://zp-cml-test.linuxdomain.cz>
> > Services: login, sshd, sudo, sudo-i, su, su-l
> > ----------------------------
> > Number of entries returned 2
> > ----------------------------
> >
> > This is my /etc/sssd/sssd.conf. It the same like on Centos 7.0
> server, just
> > with proper server name of course:
> >
> > [root at zp-cml-test sssd]# cat /etc/sssd/sssd.conf
> > [domain/linuxdomain.cz <http://linuxdomain.cz>]
> > cache_credentials = True
> > krb5_store_password_if_offline = True
> > ipa_domain = linuxdomain.cz <http://linuxdomain.cz>
> > id_provider = ipa
> > krb5_realm = LINUXDOMAIN.CZ <http://LINUXDOMAIN.CZ>
> > auth_provider = ipa
> > access_provider = ipa
> > ipa_hostname = zp-cml-test.linuxdomain.cz
> <http://zp-cml-test.linuxdomain.cz>
> > chpass_provider = ipa
> > ipa_server = svlxxipap.linuxdomain.cz
> <http://svlxxipap.linuxdomain.cz>
> > ldap_tls_cacert = /etc/ipa/ca.crt
> > override_shell = /bin/bash
> > sudo_provider = ldap
> > ldap_uri = ldap://svlxxipap.linuxdomain.cz
> <http://svlxxipap.linuxdomain.cz>
> > ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
> > ldap_sasl_mech = GSSAPI
> > #ldap_sasl_authid =
> host/zp-cml-test.linuxdomain.cz at LINUXDOMAIN.CZ
> <mailto:zp-cml-test.linuxdomain.cz at LINUXDOMAIN.CZ>
> > ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
> <http://zp-cml-test.linuxdomain.cz>
> > ldap_sasl_realm = LINUXDOMAIN.CZ <http://LINUXDOMAIN.CZ>
> > krb5_server = svlxxipap.linuxdomain.cz
> <http://svlxxipap.linuxdomain.cz>
> >
> > [sssd]
> > services = nss, sudo, pam, ssh
> > config_file_version = 2
> > debug_level = 0x3ff0
> > domains = linuxdomain.cz <http://linuxdomain.cz>
> > [nss]
> > homedir_substring = /home
> >
> > [pam]
> > [sudo]
> > debug_level = 0x3ff0
> > [autofs]
> > [ssh]
> > [pac]
> > [ifp]
> >
> > This is output from sssd_sudo.log:
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [accept_fd_handler]
> (0x0400):
> > Client connected!
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version]
> (0x0200):
> > Received client version [1].
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version]
> (0x0200):
> > Offered version [1].
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000):
> Using
> > protocol version [1]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> > (0x0200): name 'simecek.tomas at sd-stc.cz
> <mailto:simecek.tomas at sd-stc.cz>' matched expression for domain '
> > sd-stc.cz <http://sd-stc.cz>', user is simecek.tomas
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> > (0x0200): name 'simecek.tomas at sd-stc.cz
> <mailto:simecek.tomas at sd-stc.cz>' matched expression for domain '
> > sd-stc.cz <http://sd-stc.cz>', user is simecek.tomas
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]]
> [sudosrv_cmd_parse_query_done]
> > (0x0200): Requesting default options for [simecek.tomas] from
> [sd-stc.cz <http://sd-stc.cz>]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> > Requesting info about [simecek.tomas at sd-stc.cz
> <mailto:simecek.tomas at sd-stc.cz>]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> > Returning info for user [simecek.tomas at sd-stc.cz
> <mailto:simecek.tomas at sd-stc.cz>]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules]
> (0x0400):
> > Retrieving default options for [simecek.tomas at sd-stc.cz
> <mailto:simecek.tomas at sd-stc.cz>] from [sd-stc.cz <http://sd-stc.cz>]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> > (0x0400): No such entry
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> > (0x0200): Searching sysdb with
> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
> > simecek.tomas at sd-stc.cz
> <mailto:simecek.tomas at sd-stc.cz>)(sudoUser=#988604700)(sudoUser=%domain
> > users at sd-stc.cz
> <mailto:users at sd-stc.cz>)(sudoUser=%unixadmins at sd-stc.cz
> <mailto:unixadmins at sd-stc.cz>)(sudoUser=%
> > mfcr_mfg at sd-stc.cz
> <mailto:mfcr_mfg at sd-stc.cz>)(sudoUser=%account at sd-stc.cz
> <mailto:account at sd-stc.cz>)(sudoUser=%wifi at sd-stc.cz
> <mailto:wifi at sd-stc.cz>
> >
> )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules]
> (0x2000): About
> > to get sudo rules from cache
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> > (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(name=defaults)))]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_from_cache]
> > (0x0400): Returning 0 rules for [<default options>@sd-stc.cz
> <http://sd-stc.cz>]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000):
> Using
> > protocol version [1]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> > (0x0200): name 'simecek.tomas at sd-stc.cz
> <mailto:simecek.tomas at sd-stc.cz>' matched expression for domain '
> > sd-stc.cz <http://sd-stc.cz>', user is simecek.tomas
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
> > (0x0200): name 'simecek.tomas at sd-stc.cz
> <mailto:simecek.tomas at sd-stc.cz>' matched expression for domain '
> > sd-stc.cz <http://sd-stc.cz>', user is simecek.tomas
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]]
> [sudosrv_cmd_parse_query_done]
> > (0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz
> <http://sd-stc.cz>]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> > Requesting info about [simecek.tomas at sd-stc.cz
> <mailto:simecek.tomas at sd-stc.cz>]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> > Returning info for user [simecek.tomas at sd-stc.cz
> <mailto:simecek.tomas at sd-stc.cz>]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules]
> (0x0400):
> > Retrieving rules for [simecek.tomas at sd-stc.cz
> <mailto:simecek.tomas at sd-stc.cz>] from [sd-stc.cz <http://sd-stc.cz>]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> > (0x0400): No such entry
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> > (0x0200): Searching sysdb with
> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
> > simecek.tomas at sd-stc.cz
> <mailto:simecek.tomas at sd-stc.cz>)(sudoUser=#988604700)(sudoUser=%domain
> > users at sd-stc.cz
> <mailto:users at sd-stc.cz>)(sudoUser=%unixadmins at sd-stc.cz
> <mailto:unixadmins at sd-stc.cz>)(sudoUser=%
> > mfcr_mfg at sd-stc.cz
> <mailto:mfcr_mfg at sd-stc.cz>)(sudoUser=%account at sd-stc.cz
> <mailto:account at sd-stc.cz>)(sudoUser=%wifi at sd-stc.cz
> <mailto:wifi at sd-stc.cz>
> >
> )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules]
> (0x2000): About
> > to get sudo rules from cache
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> > (0x0400): No such entry
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> > (0x0200): Searching sysdb with
> >
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=simecek.tomas at sd-stc.cz
> <mailto:simecek.tomas at sd-stc.cz>)(sudoUser=#988604700)(sudoUser=%domain
> > users at sd-stc.cz
> <mailto:users at sd-stc.cz>)(sudoUser=%unixadmins at sd-stc.cz
> <mailto:unixadmins at sd-stc.cz>)(sudoUser=%
> > mfcr_mfg at sd-stc.cz
> <mailto:mfcr_mfg at sd-stc.cz>)(sudoUser=%account at sd-stc.cz
> <mailto:account at sd-stc.cz>)(sudoUser=%wifi at sd-stc.cz
> <mailto:wifi at sd-stc.cz>
> > )(sudoUser=%grpunixadmins)(sudoUser=+*)))]
> > (Wed Jul 13 08:58:38 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_from_cache]
> > (0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz
> <mailto:simecek.tomas at sd-stc.cz>]
> > (Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_recv] (0x0200):
> Client
> > disconnected!
> > (Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_destructor]
> (0x2000):
> > Terminated client [0x1330300][18]
>
> When you look into the domain logs, do they show some rules being
> fetched?
>
> You can also install ldbsearch and then check what rules got stored in
> the cache:
> ldbsearch -H /var/lib/sss/db/cache_$domain.ldb
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160713/8c3532a1/attachment.htm>
More information about the Freeipa-users
mailing list