Discussion:
sudo - differences between Centos 6.5 and Centos 7.0?
(too old to reply)
Tomas Simecek
2016-07-13 09:18:21 UTC
Permalink
Dear freeIPA gurus,
in previous thread (
https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you
helped me make sudo working for AD users on Centos 7.0 (
spcss-2t-www.linuxdomain.cz).
It was caused by not knowing sudo needs to be enabled in HBAC rules.
Now it works properly on Centos 7.0 client.
But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the
same sssd.conf setup.
Error message is always:

[***@sd-***@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf
[sudo] password for ***@sd-stc.cz:
***@sd-stc.cz is not allowed to run sudo on zp-cml-test. This
incident will be reported.

Here are my HBAC rules, the second one should apply. It definitely applies
for Centos 7.0 server:
[***@svlxxipap ~]# ipa hbacrule-find
--------------------
2 HBAC rules matched
--------------------
Rule name: allow_all
User category: all
Host category: all
Service category: all
Description: Allow all users to access any host from any host
Enabled: FALSE

Rule name: Unixari na test servery
Enabled: TRUE
User Groups: grpunixadmins
Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
Services: login, sshd, sudo, sudo-i, su, su-l
----------------------------
Number of entries returned 2
----------------------------

This is my /etc/sssd/sssd.conf. It the same like on Centos 7.0 server, just
with proper server name of course:

[***@zp-cml-test sssd]# cat /etc/sssd/sssd.conf
[domain/linuxdomain.cz]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linuxdomain.cz
id_provider = ipa
krb5_realm = LINUXDOMAIN.CZ
auth_provider = ipa
access_provider = ipa
ipa_hostname = zp-cml-test.linuxdomain.cz
chpass_provider = ipa
ipa_server = svlxxipap.linuxdomain.cz
ldap_tls_cacert = /etc/ipa/ca.crt
override_shell = /bin/bash
sudo_provider = ldap
ldap_uri = ldap://svlxxipap.linuxdomain.cz
ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
ldap_sasl_mech = GSSAPI
#ldap_sasl_authid = host/zp-cml-***@LINUXDOMAIN.CZ
ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
ldap_sasl_realm = LINUXDOMAIN.CZ
krb5_server = svlxxipap.linuxdomain.cz

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
debug_level = 0x3ff0
domains = linuxdomain.cz
[nss]
homedir_substring = /home

[pam]
[sudo]
debug_level = 0x3ff0
[autofs]
[ssh]
[pac]
[ifp]

This is output from sssd_sudo.log:
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [accept_fd_handler] (0x0400):
Client connected!
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name '***@sd-stc.cz' matched expression for domain '
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name '***@sd-stc.cz' matched expression for domain '
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [***@sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [***@sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [***@sd-stc.cz] from [sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
***@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain
***@sd-stc.cz)(sudoUser=%***@sd-stc.cz)(sudoUser=%
***@sd-stc.cz)(sudoUser=%***@sd-stc.cz)(sudoUser=%***@sd-stc.cz
)(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
to get sudo rules from cache
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [<default options>@sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name '***@sd-stc.cz' matched expression for domain '
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name '***@sd-stc.cz' matched expression for domain '
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [***@sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [***@sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [***@sd-stc.cz] from [sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
***@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain
***@sd-stc.cz)(sudoUser=%***@sd-stc.cz)(sudoUser=%
***@sd-stc.cz)(sudoUser=%***@sd-stc.cz)(sudoUser=%***@sd-stc.cz
)(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
to get sudo rules from cache
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=***@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain
***@sd-stc.cz)(sudoUser=%***@sd-stc.cz)(sudoUser=%
***@sd-stc.cz)(sudoUser=%***@sd-stc.cz)(sudoUser=%***@sd-stc.cz
)(sudoUser=%grpunixadmins)(sudoUser=+*)))]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [***@sd-stc.cz]
(Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
(Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_destructor] (0x2000):
Terminated client [0x1330300][18]

It looks like it cannot get any rules from IPA server. Any idea why? It
works fine on Centos 7.0 client.

Thanks

Tomas
Jakub Hrozek
2016-07-13 09:50:04 UTC
Permalink
Post by Tomas Simecek
Dear freeIPA gurus,
in previous thread (
https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you
helped me make sudo working for AD users on Centos 7.0 (
spcss-2t-www.linuxdomain.cz).
It was caused by not knowing sudo needs to be enabled in HBAC rules.
Now it works properly on Centos 7.0 client.
But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the
same sssd.conf setup.
incident will be reported.
Here are my HBAC rules, the second one should apply. It definitely applies
--------------------
2 HBAC rules matched
--------------------
Rule name: allow_all
User category: all
Host category: all
Service category: all
Description: Allow all users to access any host from any host
Enabled: FALSE
Rule name: Unixari na test servery
Enabled: TRUE
User Groups: grpunixadmins
Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
Services: login, sshd, sudo, sudo-i, su, su-l
----------------------------
Number of entries returned 2
----------------------------
This is my /etc/sssd/sssd.conf. It the same like on Centos 7.0 server, just
[domain/linuxdomain.cz]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linuxdomain.cz
id_provider = ipa
krb5_realm = LINUXDOMAIN.CZ
auth_provider = ipa
access_provider = ipa
ipa_hostname = zp-cml-test.linuxdomain.cz
chpass_provider = ipa
ipa_server = svlxxipap.linuxdomain.cz
ldap_tls_cacert = /etc/ipa/ca.crt
override_shell = /bin/bash
sudo_provider = ldap
ldap_uri = ldap://svlxxipap.linuxdomain.cz
ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
ldap_sasl_realm = LINUXDOMAIN.CZ
krb5_server = svlxxipap.linuxdomain.cz
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
debug_level = 0x3ff0
domains = linuxdomain.cz
[nss]
homedir_substring = /home
[pam]
[sudo]
debug_level = 0x3ff0
[autofs]
[ssh]
[pac]
[ifp]
Client connected!
Received client version [1].
Offered version [1].
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
)(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
to get sudo rules from cache
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
)(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
to get sudo rules from cache
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
)(sudoUser=%grpunixadmins)(sudoUser=+*)))]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
Terminated client [0x1330300][18]
When you look into the domain logs, do they show some rules being
fetched?

You can also install ldbsearch and then check what rules got stored in
the cache:
ldbsearch -H /var/lib/sss/db/cache_$domain.ldb
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Tomas Simecek
2016-07-13 10:44:29 UTC
Permalink
Diky Jakube,
in domain log below I can see that rules were found properly:
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sudo] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sudo-i] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule [Unixari
na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule
[Unixari na test servery]

It also matches the rule and says "Access granted":
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_host_attrs_to_rule] (0x1000):
[fqdn=spcss-2t-www.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]
does not map to either a host or hostgroup. Skipping
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_host_attrs_to_rule] (0x2000): Added host [zp-cml-test.linuxdomain.cz]
to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_eval_user_element] (0x1000): [1] groups for [***@sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [
***@sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [Unixari na
test servery]

It also mentiones SELinux, but I know it is disabled.

Any idea what to check next please?
Full part of the log follows:

(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info]
(0x0100): Got request for [3][1][name=simecek.tomas]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain]
(0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[ipa_get_subdom_acct_send] (0x0400): Initgroups requests are not handled by
the IPA provider but are resolved by the responder directly from the cache.
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback]
(0x0100): Request processed. Returned 3,95,Account info lookup failed
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain]
(0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler]
(0x0100): Got request with the following data
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): command: PAM_AUTHENTICATE
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): domain: sd-stc.cz
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): user: ***@sd-stc.cz
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): service: sudo
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): tty: /dev/pts/0
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): ruser: ***@sd-stc.cz
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): rhost:
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): authtok type: 1
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): priv: 0
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): cli_pid: 27305
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [switch_creds]
(0x0200): Switch user to [988604700][988604700].
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [switch_creds]
(0x0200): Switch user to [0][0].
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [get_server_status]
(0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working'
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [get_port_status]
(0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is
'working'
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6
seconds
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [get_server_status]
(0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working'
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[be_resolve_server_process] (0x0200): Found address for server
svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 601
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[ipa_resolve_callback] (0x0400): Constructed uri 'ldap://
svlxxipap.linuxdomain.cz'
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup]
(0x2000): Setting up signal handler up for pid [27310]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup]
(0x2000): Signal handler set up for pid [27310]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_get_subdomains]
(0x0400): Got get subdomains [forced][SD-STC]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[objectclass=ipaIDRange][cn=ranges,cn=etc,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSecondaryBaseRID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaNTTrustedDomainSID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaRangeType]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 21
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1f060],
ldap[0x1f03170]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaBaseID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaBaseRID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSecondaryBaseRID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaIDRangeSize]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaRangeType]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1f060],
ldap[0x1f03170]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaBaseID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaBaseRID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaIDRangeSize]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaNTTrustedDomainSID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaRangeType]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1f060],
ldap[0x1f03170]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[objectclass=ipaNTTrustedDomain][cn=trusts,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaNTTrustedDomainSID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 22
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f123f0],
ldap[0x1f03170]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f123f0],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaNTFlatName]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaNTTrustedDomainSID]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f123f0],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to
do.
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaNTSecurityIdentifier]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 23
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f60480],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f60480],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaNTFlatName]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaNTSecurityIdentifier]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f60480],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[get_subdomains_callback] (0x0400): Backend returned: (0, 0, <NULL>)
[Success]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler]
(0x1000): Waiting for child [27310].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler]
(0x0100): child [27310] finished successfully.
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[parse_krb5_child_response] (0x1000): child response [0][3][45].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[parse_krb5_child_response] (0x1000): child response [0][-1073741822][24].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[parse_krb5_child_response] (0x1000): child response [0][-1073741823][32].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[parse_krb5_child_response] (0x1000): TGT times are
[1468404320][1468404320][1468440320][1468490720].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[parse_krb5_child_response] (0x1000): child response [0][6][8].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status]
(0x0100): Marking port 0 of server 'svlxxipap.linuxdomain.cz' as 'working'
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[set_server_common_status] (0x0100): Marking server '
svlxxipap.linuxdomain.cz' as 'working'
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status]
(0x0400): Marking port 0 of duplicate server 'svlxxipap.linuxdomain.cz' as
'working'
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [switch_creds]
(0x0200): Switch user to [988604700][988604700].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sss_krb5_check_ccache_princ] (0x2000): Searching for [
***@SD-STC.CZ] in cache of type [FILE]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [switch_creds]
(0x0200): Switch user to [0][0].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[safe_remove_old_ccache_file] (0x0400): New and old ccache file are the
same, none will be deleted.
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info]
(0x0100): Got request for [3][1][name=simecek.tomas]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain]
(0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_get_subdom_acct_send] (0x0400): Initgroups requests are not handled by
the IPA provider but are resolved by the responder directly from the cache.
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback]
(0x0100): Request processed. Returned 3,95,Account info lookup failed
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain]
(0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler]
(0x0100): Got request with the following data
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): command: PAM_ACCT_MGMT
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): domain: sd-stc.cz
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): user: ***@sd-stc.cz
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): service: sudo
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): tty: /dev/pts/0
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): ruser: ***@sd-stc.cz
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): rhost:
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): authtok type: 0
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): priv: 0
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): cli_pid: 27305
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_access_send]
(0x0400): Performing access check for user [***@sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user
[***@sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectClass=ipaHost)(fqdn=zp-cml-test.linuxdomain.cz
))][cn=accounts,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 24
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [fqdn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [serverHostname]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSshPubKey]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaUniqueID]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x2000): Total count [0]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn=
zp-cml-test.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]
using OpenLDAP deref
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no
filter][fqdn=zp-cml-test.linuxdomain.cz
,cn=computers,cn=accounts,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 25
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_x_deref_parse_entry] (0x0400): Got deref control
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref]
(0x1000): Dereferenced DN:
ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref]
(0x1000): Dereferenced DN:
ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_x_deref_parse_entry] (0x0400): All deref results from a single
control parsed
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x2000): Total count [0]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_hbac_service_info_next] (0x0400): Sending request for next search
base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACService)]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectClass=ipaHBACService)][cn=hbac,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 26
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x2000): Total count [0]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search
base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACServiceGroup)]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 27
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [member]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [member]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x2000): Total count [0]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_hbac_rule_info_next] (0x0400): Sending request for next search base:
[cn=hbac,dc=linuxdomain,dc=cz][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=
zp-cml-test.linuxdomain.cz
,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=
zp-cml-test.linuxdomain.cz
,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))][cn=hbac,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 28
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaenabledflag]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [accessRuleType]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberUser]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberService]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberHost]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x2000): Total count [0]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_attrs_to_rule]
(0x1000): Processing rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_user_attrs_to_rule] (0x1000): Processing users for rule [Unixari na
test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users]
(0x2000): Search users with filter:
(&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users]
(0x2000): No such entry
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_groups]
(0x2000): Search groups with filter:
(&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_user_attrs_to_rule] (0x2000): Added POSIX group [grpunixadmins] to
rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sudo] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sudo-i] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule [Unixari
na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_host_attrs_to_rule] (0x1000):
[fqdn=spcss-2t-www.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]
does not map to either a host or hostgroup. Skipping
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_host_attrs_to_rule] (0x2000): Added host [zp-cml-test.linuxdomain.cz]
to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule
[Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_eval_user_element] (0x1000): [1] groups for [***@sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [
***@sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [Unixari na
test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_get_selinux_send] (0x2000): Connection status is [online].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaMigrationEnabled]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSELinuxUserMapDefault]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSELinuxUserMapOrder]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 29
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaMigrationEnabled]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSELinuxUserMapDefault]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSELinuxUserMapOrder]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with
following parameters:
[2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [seeAlso]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUser]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaEnabledFlag]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 30
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f0d0b0],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f0d0b0],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x2000): Total count [0]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success)
[Success]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!

Tomas Simecek
Post by Tomas Simecek
Post by Tomas Simecek
Dear freeIPA gurus,
in previous thread (
https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html)
you
Post by Tomas Simecek
helped me make sudo working for AD users on Centos 7.0 (
spcss-2t-www.linuxdomain.cz).
It was caused by not knowing sudo needs to be enabled in HBAC rules.
Now it works properly on Centos 7.0 client.
But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the
same sssd.conf setup.
incident will be reported.
Here are my HBAC rules, the second one should apply. It definitely
applies
Post by Tomas Simecek
--------------------
2 HBAC rules matched
--------------------
Rule name: allow_all
User category: all
Host category: all
Service category: all
Description: Allow all users to access any host from any host
Enabled: FALSE
Rule name: Unixari na test servery
Enabled: TRUE
User Groups: grpunixadmins
Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
Services: login, sshd, sudo, sudo-i, su, su-l
----------------------------
Number of entries returned 2
----------------------------
This is my /etc/sssd/sssd.conf. It the same like on Centos 7.0 server,
just
Post by Tomas Simecek
[domain/linuxdomain.cz]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linuxdomain.cz
id_provider = ipa
krb5_realm = LINUXDOMAIN.CZ
auth_provider = ipa
access_provider = ipa
ipa_hostname = zp-cml-test.linuxdomain.cz
chpass_provider = ipa
ipa_server = svlxxipap.linuxdomain.cz
ldap_tls_cacert = /etc/ipa/ca.crt
override_shell = /bin/bash
sudo_provider = ldap
ldap_uri = ldap://svlxxipap.linuxdomain.cz
ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
ldap_sasl_realm = LINUXDOMAIN.CZ
krb5_server = svlxxipap.linuxdomain.cz
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
debug_level = 0x3ff0
domains = linuxdomain.cz
[nss]
homedir_substring = /home
[pam]
[sudo]
debug_level = 0x3ff0
[autofs]
[ssh]
[pac]
[ifp]
Client connected!
Received client version [1].
Offered version [1].
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz
]
]
Post by Tomas Simecek
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Wed Jul 13 08:58:38 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
)(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))]
About
Post by Tomas Simecek
to get sudo rules from cache
(Wed Jul 13 08:58:38 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(name=defaults)))]
Post by Tomas Simecek
(Wed Jul 13 08:58:38 2016) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache]
Post by Tomas Simecek
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Wed Jul 13 08:58:38 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
)(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))]
About
Post by Tomas Simecek
to get sudo rules from cache
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Wed Jul 13 08:58:38 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=
)(sudoUser=%grpunixadmins)(sudoUser=+*)))]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache]
Post by Tomas Simecek
(Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
Terminated client [0x1330300][18]
When you look into the domain logs, do they show some rules being
fetched?
You can also install ldbsearch and then check what rules got stored in
ldbsearch -H /var/lib/sss/db/cache_$domain.ldb
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Justin Stephenson
2016-07-13 14:24:15 UTC
Permalink
/Diky Jakube,//
/
/in domain log below I can see that rules were found properly://
//(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz
<http://linuxdomain.cz>//]]] [hbac_service_attrs_to_rule] (0x1000):
Processing PAM services for rule [Unixari na test servery]//
//(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz
<http://linuxdomain.cz>//]]] [hbac_service_attrs_to_rule] (0x2000):
Added service [login] to rule [Unixari na test servery]//
//(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz
<http://linuxdomain.cz>//]]] [hbac_service_attrs_to_rule] (0x2000):
Added service [sshd] to rule [Unixari na test servery]//
//(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz
<http://linuxdomain.cz>//]]] [hbac_service_attrs_to_rule] (0x2000):
Added service [sudo] to rule [Unixari na test servery]//
//(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz
<http://linuxdomain.cz>//]]] [hbac_service_attrs_to_rule] (0x2000):
Added service [sudo-i] to rule [Unixari na test servery]//
//(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz
<http://linuxdomain.cz>//]]] [hbac_service_attrs_to_rule] (0x2000):
Added service [su] to rule [Unixari na test servery]//
//(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz
<http://linuxdomain.cz>//]]] [hbac_service_attrs_to_rule] (0x2000):
Added service [su-l] to rule [Unixari na test servery]//
//(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz
<http://linuxdomain.cz>//]]] [hbac_thost_attrs_to_rule] (0x1000):
Processing target hosts for rule [Unixari na test servery]//
/
/On 07/13/2016 06:44 AM, Tomas Simecek wrote:

/

These logs are related to HBAC rules, not sudo rule retrieval from IPA.
In the domain log you want to look for log messages similar to:

[sdap_sudo_refresh_load_done] (0x0400): Received $num-rules rules

[sssd[be[LDAP.PB]]] [sysdb_save_sudorule] (0x0400): Adding sudo rule $rule-name**

[sdap_sudo_refresh_load_done] (0x0400): Sudoers is successfuly stored in cache


You can check if the expected sudo rule is stored in the sssd cache file
with the following command:

# ldbsearch -H /var/lib/sss/db/cache_<domain>.ldb objectclass=sudorule

If it is not there, then likely the problem is in the domain log because
sssd is not retrieving the sudo rule from the IPA server correctly

Kind regards,
Justin Stephenson
Post by Tomas Simecek
Diky Jakube,
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Processing PAM services for rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Added service [login] to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Added service [sshd] to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Added service [sudo] to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Added service [sudo-i] to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Added service [su] to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Added service [su-l] to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Processing target hosts for rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
[fqdn=spcss-2t-www.linuxdomain.cz
<http://spcss-2t-www.linuxdomain.cz>,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]
does not map to either a host or hostgroup. Skipping
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [hbac_host_attrs_to_rule] (0x2000): Added
host [zp-cml-test.linuxdomain.cz <http://zp-cml-test.linuxdomain.cz>]
to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Processing source hosts for rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [hbac_shost_attrs_to_rule] (0x2000): Source
hosts disabled, setting ALL
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [hbac_eval_user_element] (0x1000): [1]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [hbac_eval_user_element] (0x1000): Added
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [ipa_hbac_evaluate_rules] (0x0080): Access
granted by HBAC rule [Unixari na test servery]
It also mentiones SELinux, but I know it is disabled.
Any idea what to check next please?
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [be_get_account_info] (0x0100): Got request
for [3][1][name=simecek.tomas]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [be_req_set_domain] (0x0400): Changing
request domain from [linuxdomain.cz <http://linuxdomain.cz>] to
[sd-stc.cz <http://sd-stc.cz>]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
Initgroups requests are not handled by the IPA provider but are
resolved by the responder directly from the cache.
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [acctinfo_callback] (0x0100): Request
processed. Returned 3,95,Account info lookup failed
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sbus_get_sender_id_send] (0x2000): Not a
sysbus message, quit
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [be_req_set_domain] (0x0400): Changing
request domain from [linuxdomain.cz <http://linuxdomain.cz>] to
[sd-stc.cz <http://sd-stc.cz>]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [be_pam_handler] (0x0100): Got request with
the following data
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
PAM_AUTHENTICATE
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
sd-stc.cz <http://sd-stc.cz>
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [pam_print_data] (0x0100): service: sudo
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [pam_print_data] (0x0100): tty: /dev/pts/0
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [pam_print_data] (0x0100): authtok type: 1
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [pam_print_data] (0x0100): newauthtok type: 0
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [pam_print_data] (0x0100): priv: 0
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [pam_print_data] (0x0100): cli_pid: 27305
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [switch_creds] (0x0200): Switch user to
[988604700][988604700].
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT
not found or expired.
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [switch_creds] (0x0200): Switch user to [0][0].
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [fo_resolve_service_send] (0x0100): Trying
to resolve service 'IPA'
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [get_server_status] (0x1000): Status of
server 'svlxxipap.linuxdomain.cz <http://svlxxipap.linuxdomain.cz>' is
'working'
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [get_port_status] (0x1000): Port status of
port 0 for server 'svlxxipap.linuxdomain.cz
<http://svlxxipap.linuxdomain.cz>' is 'working'
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [fo_resolve_service_activate_timeout]
(0x2000): Resolve timeout set to 6 seconds
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [get_server_status] (0x1000): Status of
server 'svlxxipap.linuxdomain.cz <http://svlxxipap.linuxdomain.cz>' is
'working'
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
Saving the first resolved server
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [be_resolve_server_process] (0x0200): Found
address for server svlxxipap.linuxdomain.cz
<http://svlxxipap.linuxdomain.cz>: [10.1.123.103] TTL 601
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
Constructed uri 'ldap://svlxxipap.linuxdomain.cz
<http://svlxxipap.linuxdomain.cz>'
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [child_handler_setup] (0x2000): Setting up
signal handler up for pid [27310]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [child_handler_setup] (0x2000): Signal
handler set up for pid [27310]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [write_pipe_handler] (0x0400): All data has
been sent!
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sbus_get_sender_id_send] (0x2000): Not a
sysbus message, quit
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [be_get_subdomains] (0x0400): Got get
subdomains [forced][SD-STC]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
calling ldap_search_ext with
[objectclass=ipaIDRange][cn=ranges,cn=etc,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [objectClass]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [cn]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaBaseID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaBaseRID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaSecondaryBaseRID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaIDRangeSize]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaNTTrustedDomainSID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaRangeType]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
ldap_search_ext called, msgid = 21
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f1f060], ldap[0x1f03170]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectClass]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaBaseID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaBaseRID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaSecondaryBaseRID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaIDRangeSize]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaRangeType]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f1f060], ldap[0x1f03170]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectClass]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaBaseID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaBaseRID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaIDRangeSize]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaNTTrustedDomainSID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaRangeType]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f1f060], ldap[0x1f03170]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
Search result: Success(0), no errmsg set
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
calling ldap_search_ext with
[objectclass=ipaNTTrustedDomain][cn=trusts,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [cn]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaNTFlatName]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaNTTrustedDomainSID]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
ldap_search_ext called, msgid = 22
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f123f0], ldap[0x1f03170]
(Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz
ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f123f0], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaNTFlatName]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaNTTrustedDomainSID]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f123f0], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Search result: Success(0), no errmsg set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [ipa_subdom_get_forest] (0x0400): 4th
component is not 'trust', nothing to do.
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
calling ldap_search_ext with
[objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaNTFlatName]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaNTSecurityIdentifier]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
ldap_search_ext called, msgid = 23
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f60480], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f60480], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaNTFlatName]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaNTSecurityIdentifier]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f60480], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Search result: Success(0), no errmsg set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [get_subdomains_callback] (0x0400): Backend
returned: (0, 0, <NULL>) [Success]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [child_sig_handler] (0x1000): Waiting for
child [27310].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [child_sig_handler] (0x0100): child [27310]
finished successfully.
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [read_pipe_handler] (0x0400): EOF received,
client finished
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [parse_krb5_child_response] (0x1000): child
response [0][3][45].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [parse_krb5_child_response] (0x1000): child
response [0][-1073741822][24].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [parse_krb5_child_response] (0x1000): child
response [0][-1073741823][32].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [parse_krb5_child_response] (0x1000): TGT
times are [1468404320][1468404320][1468440320][1468490720].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [parse_krb5_child_response] (0x1000): child
response [0][6][8].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [fo_set_port_status] (0x0100): Marking port
0 of server 'svlxxipap.linuxdomain.cz
<http://svlxxipap.linuxdomain.cz>' as 'working'
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Marking server 'svlxxipap.linuxdomain.cz
<http://svlxxipap.linuxdomain.cz>' as 'working'
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [fo_set_port_status] (0x0400): Marking port
0 of duplicate server 'svlxxipap.linuxdomain.cz
<http://svlxxipap.linuxdomain.cz>' as 'working'
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [switch_creds] (0x0200): Switch user to
[988604700][988604700].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [switch_creds] (0x0200): Switch user to [0][0].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [safe_remove_old_ccache_file] (0x0400): New
and old ccache file are the same, none will be deleted.
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [be_pam_handler_callback] (0x0100): Backend
returned: (0, 0, <NULL>) [Success]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [be_pam_handler_callback] (0x0100): Sending
result [0][sd-stc.cz <http://sd-stc.cz>]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [be_pam_handler_callback] (0x0100): Sent
result [0][sd-stc.cz <http://sd-stc.cz>]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sbus_get_sender_id_send] (0x2000): Not a
sysbus message, quit
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [be_get_account_info] (0x0100): Got request
for [3][1][name=simecek.tomas]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [be_req_set_domain] (0x0400): Changing
request domain from [linuxdomain.cz <http://linuxdomain.cz>] to
[sd-stc.cz <http://sd-stc.cz>]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Initgroups requests are not handled by the IPA provider but are
resolved by the responder directly from the cache.
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [acctinfo_callback] (0x0100): Request
processed. Returned 3,95,Account info lookup failed
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sbus_get_sender_id_send] (0x2000): Not a
sysbus message, quit
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [be_req_set_domain] (0x0400): Changing
request domain from [linuxdomain.cz <http://linuxdomain.cz>] to
[sd-stc.cz <http://sd-stc.cz>]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [be_pam_handler] (0x0100): Got request with
the following data
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
PAM_ACCT_MGMT
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sd-stc.cz <http://sd-stc.cz>
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [pam_print_data] (0x0100): service: sudo
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [pam_print_data] (0x0100): tty: /dev/pts/0
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [pam_print_data] (0x0100): authtok type: 0
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [pam_print_data] (0x0100): newauthtok type: 0
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [pam_print_data] (0x0100): priv: 0
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [pam_print_data] (0x0100): cli_pid: 27305
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_access_send] (0x0400): Performing
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
calling ldap_search_ext with
[(&(objectClass=ipaHost)(fqdn=zp-cml-test.linuxdomain.cz
<http://zp-cml-test.linuxdomain.cz>))][cn=accounts,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [objectClass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [fqdn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [serverHostname]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaSshPubKey]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaUniqueID]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
ldap_search_ext called, msgid = 24
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectClass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [fqdn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [serverHostname]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaSshPubKey]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaUniqueID]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Search result: Success(0), no errmsg set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x2000): Total
count [0]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_has_deref_support] (0x0400): The
server supports deref method OpenLDAP
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_deref_search_send] (0x2000): Server
supports OpenLDAP deref
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Dereferencing entry [fqdn=zp-cml-test.linuxdomain.cz
<http://zp-cml-test.linuxdomain.cz>,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]
using OpenLDAP deref
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
calling ldap_search_ext with [no
filter][fqdn=zp-cml-test.linuxdomain.cz
<http://zp-cml-test.linuxdomain.cz>,cn=computers,cn=accounts,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [objectClass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaUniqueID]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
ldap_search_ext called, msgid = 25
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_x_deref_parse_entry] (0x0400): Got
deref control
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_deref] (0x1000): Dereferenced
ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_deref] (0x1000): Dereferenced
ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_x_deref_parse_entry] (0x0400): All
deref results from a single control parsed
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Search result: Success(0), no errmsg set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x2000): Total
count [0]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [ipa_hostgroup_info_done] (0x0200): No host
groups were dereferenced
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
[cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACService)]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
calling ldap_search_ext with
[(objectClass=ipaHBACService)][cn=hbac,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [member]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
ldap_search_ext called, msgid = 26
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Search result: Success(0), no errmsg set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x2000): Total
count [0]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
[cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACServiceGroup)]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
calling ldap_search_ext with
[(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [member]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [memberOf]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
ldap_search_ext called, msgid = 27
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [member]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [member]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Search result: Success(0), no errmsg set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x2000): Total
count [0]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [ipa_hbac_rule_info_next] (0x0400): Sending
[cn=hbac,dc=linuxdomain,dc=cz][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=zp-cml-test.linuxdomain.cz
<http://zp-cml-test.linuxdomain.cz>,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
calling ldap_search_ext with
[(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=zp-cml-test.linuxdomain.cz
<http://zp-cml-test.linuxdomain.cz>,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))][cn=hbac,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaenabledflag]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [accessRuleType]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [memberUser]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [userCategory]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [memberService]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [serviceCategory]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [sourceHost]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [sourceHostCategory]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [externalHost]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [memberHost]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [hostCategory]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
ldap_search_ext called, msgid = 28
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectclass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipauniqueid]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaenabledflag]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [accessRuleType]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [memberUser]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [memberService]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [memberHost]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Search result: Success(0), no errmsg set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x2000): Total
count [0]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [hbac_attrs_to_rule] (0x1000): Processing
rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Processing users for rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sysdb_search_users] (0x2000): Search users
(&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sysdb_search_users] (0x2000): No such entry
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sysdb_search_groups] (0x2000): Search
(&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [hbac_user_attrs_to_rule] (0x2000): Added
POSIX group [grpunixadmins] to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Processing PAM services for rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Added service [login] to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Added service [sshd] to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Added service [sudo] to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Added service [sudo-i] to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Added service [su] to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Added service [su-l] to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Processing target hosts for rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
[fqdn=spcss-2t-www.linuxdomain.cz
<http://spcss-2t-www.linuxdomain.cz>,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]
does not map to either a host or hostgroup. Skipping
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [hbac_host_attrs_to_rule] (0x2000): Added
host [zp-cml-test.linuxdomain.cz <http://zp-cml-test.linuxdomain.cz>]
to rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Processing source hosts for rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [hbac_shost_attrs_to_rule] (0x2000): Source
hosts disabled, setting ALL
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [hbac_eval_user_element] (0x1000): [1]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [hbac_eval_user_element] (0x1000): Added
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [ipa_hbac_evaluate_rules] (0x0080): Access
granted by HBAC rule [Unixari na test servery]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [be_pam_handler_callback] (0x0100): Backend
returned: (0, 0, <NULL>) [Success]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [ipa_get_selinux_send] (0x0400): Retrieving
SELinux user mapping
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [ipa_get_selinux_send] (0x2000): Connection
status is [online].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
calling ldap_search_ext with
[(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaMigrationEnabled]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaSELinuxUserMapDefault]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaSELinuxUserMapOrder]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
ldap_search_ext called, msgid = 29
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaMigrationEnabled]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaSELinuxUserMapDefault]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_parse_range] (0x2000): No
sub-attributes for [ipaSELinuxUserMapOrder]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Search result: Success(0), no errmsg set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
[2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
calling ldap_search_ext with
[(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz].
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [objectClass]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [cn]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [memberUser]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [memberHost]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [seeAlso]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaSELinuxUser]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaEnabledFlag]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [userCategory]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [hostCategory]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Requesting attrs: [ipaUniqueID]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
ldap_search_ext called, msgid = 30
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f0d0b0], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
ldap_result found nothing!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[0x1f0d0b0], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
Search result: Success(0), no errmsg set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [sdap_get_generic_ext_done] (0x2000): Total
count [0]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [ipa_selinux_get_maps_done] (0x0400): No
SELinux user maps found!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [be_pam_handler_callback] (0x0100): Backend
returned: (0, 0, Success) [Success]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [be_pam_handler_callback] (0x0100): Sending
result [0][sd-stc.cz <http://sd-stc.cz>]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
<http://linuxdomain.cz>]]] [be_pam_handler_callback] (0x0100): Sent
result [0][sd-stc.cz <http://sd-stc.cz>]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz
ldap_result found nothing!
Tomas Simecek
Post by Tomas Simecek
Dear freeIPA gurus,
in previous thread (
https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you
Post by Tomas Simecek
helped me make sudo working for AD users on Centos 7.0 (
spcss-2t-www.linuxdomain.cz <http://spcss-2t-www.linuxdomain.cz>).
It was caused by not knowing sudo needs to be enabled in HBAC rules.
Now it works properly on Centos 7.0 client.
But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz
<http://zp-cml-test.linuxdomain.cz>) with the
Post by Tomas Simecek
same sssd.conf setup.
allowed to run sudo on zp-cml-test. This
Post by Tomas Simecek
incident will be reported.
Here are my HBAC rules, the second one should apply. It
definitely applies
Post by Tomas Simecek
--------------------
2 HBAC rules matched
--------------------
Rule name: allow_all
User category: all
Host category: all
Service category: all
Description: Allow all users to access any host from any host
Enabled: FALSE
Rule name: Unixari na test servery
Enabled: TRUE
User Groups: grpunixadmins
Hosts: spcss-2t-www.linuxdomain.cz
<http://spcss-2t-www.linuxdomain.cz>, zp-cml-test.linuxdomain.cz
<http://zp-cml-test.linuxdomain.cz>
Post by Tomas Simecek
Services: login, sshd, sudo, sudo-i, su, su-l
----------------------------
Number of entries returned 2
----------------------------
This is my /etc/sssd/sssd.conf. It the same like on Centos 7.0
server, just
Post by Tomas Simecek
[domain/linuxdomain.cz <http://linuxdomain.cz>]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linuxdomain.cz <http://linuxdomain.cz>
id_provider = ipa
krb5_realm = LINUXDOMAIN.CZ <http://LINUXDOMAIN.CZ>
auth_provider = ipa
access_provider = ipa
ipa_hostname = zp-cml-test.linuxdomain.cz
<http://zp-cml-test.linuxdomain.cz>
Post by Tomas Simecek
chpass_provider = ipa
ipa_server = svlxxipap.linuxdomain.cz
<http://svlxxipap.linuxdomain.cz>
Post by Tomas Simecek
ldap_tls_cacert = /etc/ipa/ca.crt
override_shell = /bin/bash
sudo_provider = ldap
ldap_uri = ldap://svlxxipap.linuxdomain.cz
<http://svlxxipap.linuxdomain.cz>
Post by Tomas Simecek
ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
ldap_sasl_mech = GSSAPI
#ldap_sasl_authid =
ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
<http://zp-cml-test.linuxdomain.cz>
Post by Tomas Simecek
ldap_sasl_realm = LINUXDOMAIN.CZ <http://LINUXDOMAIN.CZ>
krb5_server = svlxxipap.linuxdomain.cz
<http://svlxxipap.linuxdomain.cz>
Post by Tomas Simecek
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
debug_level = 0x3ff0
domains = linuxdomain.cz <http://linuxdomain.cz>
[nss]
homedir_substring = /home
[pam]
[sudo]
debug_level = 0x3ff0
[autofs]
[ssh]
[pac]
[ifp]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [accept_fd_handler]
Client connected!
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version]
Received client version [1].
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version]
Offered version [1].
Using
Post by Tomas Simecek
protocol version [1]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz <http://sd-stc.cz>', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz <http://sd-stc.cz>', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]]
[sudosrv_cmd_parse_query_done]
Post by Tomas Simecek
(0x0200): Requesting default options for [simecek.tomas] from
[sd-stc.cz <http://sd-stc.cz>]
Post by Tomas Simecek
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Wed Jul 13 08:58:38 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
)(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))]
Post by Tomas Simecek
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules]
(0x2000): About
Post by Tomas Simecek
to get sudo rules from cache
(Wed Jul 13 08:58:38 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(name=defaults)))]
Post by Tomas Simecek
(Wed Jul 13 08:58:38 2016) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache]
<http://sd-stc.cz>]
Using
Post by Tomas Simecek
protocol version [1]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz <http://sd-stc.cz>', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz <http://sd-stc.cz>', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]]
[sudosrv_cmd_parse_query_done]
Post by Tomas Simecek
(0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz
<http://sd-stc.cz>]
Post by Tomas Simecek
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Wed Jul 13 08:58:38 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
)(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))]
Post by Tomas Simecek
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules]
(0x2000): About
Post by Tomas Simecek
to get sudo rules from cache
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Wed Jul 13 08:58:38 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
)(sudoUser=%grpunixadmins)(sudoUser=+*)))]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache]
Client
Post by Tomas Simecek
disconnected!
(Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_destructor]
Terminated client [0x1330300][18]
When you look into the domain logs, do they show some rules being
fetched?
You can also install ldbsearch and then check what rules got stored in
ldbsearch -H /var/lib/sss/db/cache_$domain.ldb
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Lukas Slebodnik
2016-07-13 11:27:09 UTC
Permalink
Post by Tomas Simecek
Dear freeIPA gurus,
in previous thread (
https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you
helped me make sudo working for AD users on Centos 7.0 (
spcss-2t-www.linuxdomain.cz).
It was caused by not knowing sudo needs to be enabled in HBAC rules.
Now it works properly on Centos 7.0 client.
But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the
same sssd.conf setup.
A) I would not recommend to use such obsolete distribution as CentOS 6.5
There is quite old version of sssd (1.9.x) which has some bugs which
are solved in later versions. Better would be use the latest CentOS 6.8
or at least CentOS 6.7

B) Have you tried to follow instructions
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

Please provide any comments how we can improve troubleshooting wiki.

LS
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Tomas Simecek
2016-07-13 11:36:41 UTC
Permalink
Lukas,
yes, I went through that guide and I configured sssd.conf as per the doc
(you can see it in the beginning of the thread).

Actually the installation is:
[***@zp-cml-test sssd]# cat /etc/redhat-release
CentOS release 6.6 (Final)

and versions are:
[***@zp-cml-test sssd]# rpm -qa |grep sssd
sssd-proxy-1.11.6-30.el6.x86_64
sssd-common-pac-1.11.6-30.el6.x86_64
sssd-ipa-1.11.6-30.el6.x86_64
sssd-1.11.6-30.el6.x86_64
sssd-common-1.11.6-30.el6.x86_64
sssd-ad-1.11.6-30.el6.x86_64
sssd-ldap-1.11.6-30.el6.x86_64
python-sssdconfig-1.11.6-30.el6.noarch
sssd-krb5-common-1.11.6-30.el6.x86_64
sssd-krb5-1.11.6-30.el6.x86_64
sssd-client-1.11.6-30.el6.x86_64


There are some reasons why not to upgrade to later versions, believe me, I
would do it if I could :-)

T.
Post by Lukas Slebodnik
Post by Tomas Simecek
Dear freeIPA gurus,
in previous thread (
https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html)
you
Post by Tomas Simecek
helped me make sudo working for AD users on Centos 7.0 (
spcss-2t-www.linuxdomain.cz).
It was caused by not knowing sudo needs to be enabled in HBAC rules.
Now it works properly on Centos 7.0 client.
But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the
same sssd.conf setup.
A) I would not recommend to use such obsolete distribution as CentOS 6.5
There is quite old version of sssd (1.9.x) which has some bugs which
are solved in later versions. Better would be use the latest CentOS 6.8
or at least CentOS 6.7
B) Have you tried to follow instructions
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
Please provide any comments how we can improve troubleshooting wiki.
LS
Lukas Slebodnik
2016-07-13 11:44:09 UTC
Permalink
Post by Tomas Simecek
Lukas,
yes, I went through that guide and I configured sssd.conf as per the doc
(you can see it in the beginning of the thread).
CentOS release 6.6 (Final)
sssd-proxy-1.11.6-30.el6.x86_64
sssd-common-pac-1.11.6-30.el6.x86_64
sssd-ipa-1.11.6-30.el6.x86_64
sssd-1.11.6-30.el6.x86_64
sssd-common-1.11.6-30.el6.x86_64
sssd-ad-1.11.6-30.el6.x86_64
sssd-ldap-1.11.6-30.el6.x86_64
python-sssdconfig-1.11.6-30.el6.noarch
sssd-krb5-common-1.11.6-30.el6.x86_64
sssd-krb5-1.11.6-30.el6.x86_64
sssd-client-1.11.6-30.el6.x86_64
1.11 has sudo_provider=ipa

@see instructions in man sssd-sudo how to configure it.
It should avoid issues with two different providers (ipa and ldap)
Post by Tomas Simecek
There are some reasons why not to upgrade to later versions, believe me, I
would do it if I could :-)
You can at least try to upgrade sssd from 6.8 if you do not want
to upgrade whole OS.

LS
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Tomas Simecek
2016-07-13 12:25:48 UTC
Permalink
Thanks for your information Lukas,
I have changed sudo_provider to ipa, restarted sssd and no difference.
Logfile still says "Access granted by HBAC rule..." and sudo says
***@sd-stc.cz is not allowed to run sudo on zp-cml-test.

Btw. man sssd-sudo says:
The following example shows how to configure SSSD to download
sudo rules from an LDAP server.

[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = EXAMPLE

[domain/EXAMPLE]
id_provider = ldap

so I am not that sure what should be set on my version of sssd.

Any idea?

Thanks

T.
Post by Lukas Slebodnik
Post by Tomas Simecek
Lukas,
yes, I went through that guide and I configured sssd.conf as per the doc
(you can see it in the beginning of the thread).
CentOS release 6.6 (Final)
sssd-proxy-1.11.6-30.el6.x86_64
sssd-common-pac-1.11.6-30.el6.x86_64
sssd-ipa-1.11.6-30.el6.x86_64
sssd-1.11.6-30.el6.x86_64
sssd-common-1.11.6-30.el6.x86_64
sssd-ad-1.11.6-30.el6.x86_64
sssd-ldap-1.11.6-30.el6.x86_64
python-sssdconfig-1.11.6-30.el6.noarch
sssd-krb5-common-1.11.6-30.el6.x86_64
sssd-krb5-1.11.6-30.el6.x86_64
sssd-client-1.11.6-30.el6.x86_64
1.11 has sudo_provider=ipa
@see instructions in man sssd-sudo how to configure it.
It should avoid issues with two different providers (ipa and ldap)
Post by Tomas Simecek
There are some reasons why not to upgrade to later versions, believe me, I
would do it if I could :-)
You can at least try to upgrade sssd from 6.8 if you do not want
to upgrade whole OS.
LS
l***@gmail.com
2016-07-13 12:52:30 UTC
Permalink
Again what is client version on 6.5?


Sent from my iPhone
Post by Tomas Simecek
Thanks for your information Lukas,
I have changed sudo_provider to ipa, restarted sssd and no difference.
The following example shows how to configure SSSD to download
sudo rules from an LDAP server.
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = EXAMPLE
[domain/EXAMPLE]
id_provider = ldap
so I am not that sure what should be set on my version of sssd.
Any idea?
Thanks
T.
Post by Lukas Slebodnik
Post by Tomas Simecek
Lukas,
yes, I went through that guide and I configured sssd.conf as per the doc
(you can see it in the beginning of the thread).
CentOS release 6.6 (Final)
sssd-proxy-1.11.6-30.el6.x86_64
sssd-common-pac-1.11.6-30.el6.x86_64
sssd-ipa-1.11.6-30.el6.x86_64
sssd-1.11.6-30.el6.x86_64
sssd-common-1.11.6-30.el6.x86_64
sssd-ad-1.11.6-30.el6.x86_64
sssd-ldap-1.11.6-30.el6.x86_64
python-sssdconfig-1.11.6-30.el6.noarch
sssd-krb5-common-1.11.6-30.el6.x86_64
sssd-krb5-1.11.6-30.el6.x86_64
sssd-client-1.11.6-30.el6.x86_64
1.11 has sudo_provider=ipa
@see instructions in man sssd-sudo how to configure it.
It should avoid issues with two different providers (ipa and ldap)
Post by Tomas Simecek
There are some reasons why not to upgrade to later versions, believe me, I
would do it if I could :-)
You can at least try to upgrade sssd from 6.8 if you do not want
to upgrade whole OS.
LS
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Tomas Simecek
2016-07-13 13:02:56 UTC
Permalink
Hi,
versions are:
sssd-client-1.11.6-30.el6.x86_64
sssd-ipa-1.11.6-30.el6.x86_64
ipa-client-3.0.0-50.el6.centos.1.x86_64
as part of:
CentOS release 6.6 (Final)

T.
Post by l***@gmail.com
Again what is client version on 6.5?
Sent from my iPhone
Thanks for your information Lukas,
I have changed sudo_provider to ipa, restarted sssd and no difference.
Logfile still says "Access granted by HBAC rule..." and sudo says
The following example shows how to configure SSSD to download
sudo rules from an LDAP server.
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = EXAMPLE
[domain/EXAMPLE]
id_provider = ldap
so I am not that sure what should be set on my version of sssd.
Any idea?
Thanks
T.
Post by Lukas Slebodnik
Post by Tomas Simecek
Lukas,
yes, I went through that guide and I configured sssd.conf as per the doc
(you can see it in the beginning of the thread).
CentOS release 6.6 (Final)
sssd-proxy-1.11.6-30.el6.x86_64
sssd-common-pac-1.11.6-30.el6.x86_64
sssd-ipa-1.11.6-30.el6.x86_64
sssd-1.11.6-30.el6.x86_64
sssd-common-1.11.6-30.el6.x86_64
sssd-ad-1.11.6-30.el6.x86_64
sssd-ldap-1.11.6-30.el6.x86_64
python-sssdconfig-1.11.6-30.el6.noarch
sssd-krb5-common-1.11.6-30.el6.x86_64
sssd-krb5-1.11.6-30.el6.x86_64
sssd-client-1.11.6-30.el6.x86_64
1.11 has sudo_provider=ipa
@see instructions in man sssd-sudo how to configure it.
It should avoid issues with two different providers (ipa and ldap)
Post by Tomas Simecek
There are some reasons why not to upgrade to later versions, believe me,
I
Post by Tomas Simecek
would do it if I could :-)
You can at least try to upgrade sssd from 6.8 if you do not want
to upgrade whole OS.
LS
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
l***@gmail.com
2016-07-13 13:39:33 UTC
Permalink
Update to at least 1.12 sssd and libsss_sudo. As I recall sudo ipa provider did not work under 1.11

Sent from my iPhone
Post by Tomas Simecek
Hi,
sssd-client-1.11.6-30.el6.x86_64
sssd-ipa-1.11.6-30.el6.x86_64
ipa-client-3.0.0-50.el6.centos.1.x86_64
CentOS release 6.6 (Final)
T.
Post by l***@gmail.com
Again what is client version on 6.5?
Sent from my iPhone
Post by Tomas Simecek
Thanks for your information Lukas,
I have changed sudo_provider to ipa, restarted sssd and no difference.
The following example shows how to configure SSSD to download
sudo rules from an LDAP server.
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = EXAMPLE
[domain/EXAMPLE]
id_provider = ldap
so I am not that sure what should be set on my version of sssd.
Any idea?
Thanks
T.
Post by Lukas Slebodnik
Post by Tomas Simecek
Lukas,
yes, I went through that guide and I configured sssd.conf as per the doc
(you can see it in the beginning of the thread).
CentOS release 6.6 (Final)
sssd-proxy-1.11.6-30.el6.x86_64
sssd-common-pac-1.11.6-30.el6.x86_64
sssd-ipa-1.11.6-30.el6.x86_64
sssd-1.11.6-30.el6.x86_64
sssd-common-1.11.6-30.el6.x86_64
sssd-ad-1.11.6-30.el6.x86_64
sssd-ldap-1.11.6-30.el6.x86_64
python-sssdconfig-1.11.6-30.el6.noarch
sssd-krb5-common-1.11.6-30.el6.x86_64
sssd-krb5-1.11.6-30.el6.x86_64
sssd-client-1.11.6-30.el6.x86_64
1.11 has sudo_provider=ipa
@see instructions in man sssd-sudo how to configure it.
It should avoid issues with two different providers (ipa and ldap)
Post by Tomas Simecek
There are some reasons why not to upgrade to later versions, believe me, I
would do it if I could :-)
You can at least try to upgrade sssd from 6.8 if you do not want
to upgrade whole OS.
LS
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Tomas Simecek
2016-07-13 13:56:17 UTC
Permalink
Thanks,
I will try. But I am afraid to update to more recent version then those in
official repos.

Thanks anyway.

T.
Post by l***@gmail.com
Update to at least 1.12 sssd and libsss_sudo. As I recall sudo ipa
provider did not work under 1.11
Sent from my iPhone
Hi,
sssd-client-1.11.6-30.el6.x86_64
sssd-ipa-1.11.6-30.el6.x86_64
ipa-client-3.0.0-50.el6.centos.1.x86_64
CentOS release 6.6 (Final)
T.
Post by l***@gmail.com
Again what is client version on 6.5?
Sent from my iPhone
Thanks for your information Lukas,
I have changed sudo_provider to ipa, restarted sssd and no difference.
Logfile still says "Access granted by HBAC rule..." and sudo says
The following example shows how to configure SSSD to download
sudo rules from an LDAP server.
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = EXAMPLE
[domain/EXAMPLE]
id_provider = ldap
so I am not that sure what should be set on my version of sssd.
Any idea?
Thanks
T.
Post by Lukas Slebodnik
Post by Tomas Simecek
Lukas,
yes, I went through that guide and I configured sssd.conf as per the doc
(you can see it in the beginning of the thread).
CentOS release 6.6 (Final)
sssd-proxy-1.11.6-30.el6.x86_64
sssd-common-pac-1.11.6-30.el6.x86_64
sssd-ipa-1.11.6-30.el6.x86_64
sssd-1.11.6-30.el6.x86_64
sssd-common-1.11.6-30.el6.x86_64
sssd-ad-1.11.6-30.el6.x86_64
sssd-ldap-1.11.6-30.el6.x86_64
python-sssdconfig-1.11.6-30.el6.noarch
sssd-krb5-common-1.11.6-30.el6.x86_64
sssd-krb5-1.11.6-30.el6.x86_64
sssd-client-1.11.6-30.el6.x86_64
1.11 has sudo_provider=ipa
@see instructions in man sssd-sudo how to configure it.
It should avoid issues with two different providers (ipa and ldap)
Post by Tomas Simecek
There are some reasons why not to upgrade to later versions, believe
me, I
Post by Tomas Simecek
would do it if I could :-)
You can at least try to upgrade sssd from 6.8 if you do not want
to upgrade whole OS.
LS
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Danila Ladner
2016-07-13 14:32:40 UTC
Permalink
Update to this one:
It has been running smoothly on 6.5

[***@dev-zlei.sec1 ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)

[***@dev-zlei.sec1 ~]# rpm -qa | grep sssd
sssd-client-1.12.4-47.el6.x86_64
sssd-ldap-1.12.4-47.el6.x86_64
sssd-ad-1.12.4-47.el6.x86_64
python-sssdconfig-1.12.4-47.el6.noarch
sssd-common-1.12.4-47.el6.x86_64
sssd-proxy-1.12.4-47.el6.x86_64
sssd-common-pac-1.12.4-47.el6.x86_64
sssd-krb5-1.12.4-47.el6.x86_64
sssd-ipa-1.12.4-47.el6.x86_64
sssd-krb5-common-1.12.4-47.el6.x86_64
sssd-1.12.4-47.el6.x86_64
Post by Tomas Simecek
Thanks,
I will try. But I am afraid to update to more recent version then those in
official repos.
Thanks anyway.
T.
Post by l***@gmail.com
Update to at least 1.12 sssd and libsss_sudo. As I recall sudo ipa
provider did not work under 1.11
Sent from my iPhone
Hi,
sssd-client-1.11.6-30.el6.x86_64
sssd-ipa-1.11.6-30.el6.x86_64
ipa-client-3.0.0-50.el6.centos.1.x86_64
CentOS release 6.6 (Final)
T.
Post by l***@gmail.com
Again what is client version on 6.5?
Sent from my iPhone
Thanks for your information Lukas,
I have changed sudo_provider to ipa, restarted sssd and no difference.
Logfile still says "Access granted by HBAC rule..." and sudo says
The following example shows how to configure SSSD to download
sudo rules from an LDAP server.
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = EXAMPLE
[domain/EXAMPLE]
id_provider = ldap
so I am not that sure what should be set on my version of sssd.
Any idea?
Thanks
T.
Post by Lukas Slebodnik
Post by Tomas Simecek
Lukas,
yes, I went through that guide and I configured sssd.conf as per the
doc
Post by Tomas Simecek
(you can see it in the beginning of the thread).
CentOS release 6.6 (Final)
sssd-proxy-1.11.6-30.el6.x86_64
sssd-common-pac-1.11.6-30.el6.x86_64
sssd-ipa-1.11.6-30.el6.x86_64
sssd-1.11.6-30.el6.x86_64
sssd-common-1.11.6-30.el6.x86_64
sssd-ad-1.11.6-30.el6.x86_64
sssd-ldap-1.11.6-30.el6.x86_64
python-sssdconfig-1.11.6-30.el6.noarch
sssd-krb5-common-1.11.6-30.el6.x86_64
sssd-krb5-1.11.6-30.el6.x86_64
sssd-client-1.11.6-30.el6.x86_64
1.11 has sudo_provider=ipa
@see instructions in man sssd-sudo how to configure it.
It should avoid issues with two different providers (ipa and ldap)
Post by Tomas Simecek
There are some reasons why not to upgrade to later versions, believe
me, I
Post by Tomas Simecek
would do it if I could :-)
You can at least try to upgrade sssd from 6.8 if you do not want
to upgrade whole OS.
LS
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Lukas Slebodnik
2016-07-14 07:17:38 UTC
Permalink
Post by Danila Ladner
It has been running smoothly on 6.5
CentOS release 6.5 (Final)
sssd-client-1.12.4-47.el6.x86_64
sssd-ldap-1.12.4-47.el6.x86_64
sssd-ad-1.12.4-47.el6.x86_64
python-sssdconfig-1.12.4-47.el6.noarch
sssd-common-1.12.4-47.el6.x86_64
sssd-proxy-1.12.4-47.el6.x86_64
sssd-common-pac-1.12.4-47.el6.x86_64
sssd-krb5-1.12.4-47.el6.x86_64
sssd-ipa-1.12.4-47.el6.x86_64
sssd-krb5-common-1.12.4-47.el6.x86_64
sssd-1.12.4-47.el6.x86_64
+1 for latest sssd even on CentOS 6.5.

If you have a problem with 1.12 (from 6.7)
then we can look into log files.
Because there is a still a chance that oyu just hit
a bug in 1.11 which is solved in 1.12

If it will not work then please provide
sssd.conf + log files with high debug_level sssd_sudo.log
and sssd_$domain.log

LS
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Tomas Simecek
2016-07-14 08:09:04 UTC
Permalink
Thanks all of you guys,
I have updated to:
sssd-krb5-common-1.13.3-22.el6_8.4.x86_64
sssd-1.13.3-22.el6_8.4.x86_64
sssd-ldap-1.13.3-22.el6_8.4.x86_64
sssd-client-1.13.3-22.el6_8.4.x86_64
sssd-ad-1.13.3-22.el6_8.4.x86_64
sssd-proxy-1.13.3-22.el6_8.4.x86_64
libsss_idmap-1.13.3-22.el6_8.4.x86_64
sssd-common-1.13.3-22.el6_8.4.x86_64
sssd-ipa-1.13.3-22.el6_8.4.x86_64
python-sssdconfig-1.13.3-22.el6_8.4.noarch
sssd-krb5-1.13.3-22.el6_8.4.x86_64
sssd-common-pac-1.13.3-22.el6_8.4.x86_64
(there does not seem to be libsss_sudo in Centos as suggested by Danila).
and restarted sssd.

There are two rules enabled. One HBAC as I presented earlier:
Rule name: Unixari na test servery
Enabled: TRUE
User Groups: grpunixadmins
Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
Services: login, sshd, sudo, sudo-i, su, su-l

and one sudo rule:
Rule name: Pokusne
Enabled: TRUE
Command category: all
User Groups: grpunixadmins
Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz

Default "all-access" rules are disabled.

When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I
still get:

[***@sd-***@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf
[sudo] password for ***@sd-stc.cz:
***@sd-stc.cz is not in the sudoers file. This incident will be
reported.

It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz).

sssd.conf:
[domain/linuxdomain.cz]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linuxdomain.cz
id_provider = ipa
krb5_realm = LINUXDOMAIN.CZ
auth_provider = ipa
access_provider = ipa
ipa_hostname = zp-cml-test.linuxdomain.cz
chpass_provider = ipa
ipa_server = svlxxipap.linuxdomain.cz
ldap_tls_cacert = /etc/ipa/ca.crt
override_shell = /bin/bash
sudo_provider = ipa
ldap_uri = ldap://svlxxipap.linuxdomain.cz
ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
ldap_sasl_mech = GSSAPI
#ldap_sasl_authid = host/zp-cml-***@LINUXDOMAIN.CZ
ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
ldap_sasl_realm = LINUXDOMAIN.CZ
krb5_server = svlxxipap.linuxdomain.cz
debug_level = 0x3ff0
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = linuxdomain.cz
[nss]
homedir_substring = /home
[pam]
[sudo]
debug_level = 0x3ff0
[autofs]
[ssh]
[pac]
[ifp]


sssd_sudo.log from the moment I tried sudo:
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
***@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\
***@sd-stc.cz)(sudoUser=%***@sd-stc.cz
)(sudoUser=%grpunixadmins)(sudoUser=%***@sd-stc.cz)(sudoUser=%
***@sd-stc.cz)(sudoUser=%***@sd-stc.cz
)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))]
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
to get sudo rules from cache
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=***@sd-stc.cz
)(sudoUser=#988604700)(sudoUser=%domain\***@sd-stc.cz)(sudoUser=%
***@sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%***@sd-stc.cz
)(sudoUser=%***@sd-stc.cz)(sudoUser=%***@sd-stc.cz
)(sudoUser=+*)))]
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [***@sd-stc.cz]
(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_destructor] (0x2000):
Terminated client [0x260b690][17]
(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_message_handler] (0x2000):
Received SBUS method org.freedesktop.sssd.service.ping on path
/org/freedesktop/sssd/service
(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000):
Not a sysbus message, quit
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [accept_fd_handler] (0x0400):
Client connected!
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name '***@sd-stc.cz' matched expression for domain '
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name '***@sd-stc.cz' matched expression for domain '
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [***@sd-stc.cz]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [***@sd-stc.cz]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [***@sd-stc.cz] from [sd-stc.cz]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
***@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\
***@sd-stc.cz)(sudoUser=%***@sd-stc.cz)(sudoUser=%
***@sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%***@sd-stc.cz
)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
to get sudo rules from cache
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [<default options>@sd-stc.cz]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name '***@sd-stc.cz' matched expression for domain '
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name '***@sd-stc.cz' matched expression for domain '
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [***@sd-stc.cz]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [***@sd-stc.cz]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [***@sd-stc.cz] from [sd-stc.cz]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
***@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\
***@sd-stc.cz)(sudoUser=%***@sd-stc.cz)(sudoUser=%
***@sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%***@sd-stc.cz
)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
to get sudo rules from cache
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=***@sd-stc.cz
)(sudoUser=#988604700)(sudoUser=%domain\***@sd-stc.cz)(sudoUser=%
***@sd-stc.cz)(sudoUser=%***@sd-stc.cz
)(sudoUser=%grpunixadmins)(sudoUser=%***@sd-stc.cz)(sudoUser=+*)))]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [***@sd-stc.cz]
(Thu Jul 14 09:53:59 2016) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
(Thu Jul 14 09:53:59 2016) [sssd[sudo]] [client_destructor] (0x2000):
Terminated client [0x260b690][17]
(Thu Jul 14 09:54:01 2016) [sssd[sudo]] [sbus_message_handler] (0x2000):
Received SBUS method org.freedesktop.sssd.service.ping on path
/org/freedesktop/sssd/service


Relevant part of sssd_linuxdomain.cz.log:
(I see only HBAC rule mentioned in the log, not the sudo rule, which is
strange)

(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.dataprovider.getAccountInfo on path
/org/freedesktop/sssd/dataprovider
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info]
(0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=simecek.tomas]
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain]
(0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz]
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server]
(0x2000): Searching 10.1.123.103
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust
View,cn=views,cn=accounts,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 10
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 10 timeout 6
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7140b0], ldap[0x756770]
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 10 finished
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send]
(0x0400): Executing extended operation
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send]
(0x2000): ldap_extended_operation sent, msgid = 11
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 11 timeout 6
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7140b0], ldap[0x756770]
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7140b0], ldap[0x756770]
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done]
(0x0400): ldap_extended_operation result: Success(0), (null).
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 11 finished
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_search_by_name] (0x0400): No such entry
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send]
(0x0400): Executing extended operation
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send]
(0x2000): ldap_extended_operation sent, msgid = 12
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 12 timeout 6
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x712c20], ldap[0x756770]
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x712c20], ldap[0x756770]
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done]
(0x0400): ldap_extended_operation result: Success(0), (null).
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 12 finished
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[ipa_s2n_save_objects] (0x2000): Updating memberships for
***@sd-stc.cz
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
object](32)[ldb_wait: No such object (32)]
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_update_members_ex] (0x0020): Could not add member [
***@sd-stc.cz] to group [name=***@sd-stc.cz
,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[ipa_s2n_save_objects] (0x2000): Updating memberships for
***@sd-stc.cz
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
object](32)[ldb_wait: No such object (32)]
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_update_members_ex] (0x0020): Could not add member [
***@sd-stc.cz] to group [name=***@sd-stc.cz
,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[(nil)], ldap[0x756770]
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.dataprovider.pamHandler on path
/org/freedesktop/sssd/dataprovider
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain]
(0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz]
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler]
(0x0100): Got request with the following data
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): command: SSS_PAM_AUTHENTICATE
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): domain: sd-stc.cz
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): user: ***@sd-stc.cz
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): service: sudo
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): tty: /dev/pts/0
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): ruser: ***@sd-stc.cz
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): rhost:
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): authtok type: 1
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): priv: 0
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): cli_pid: 20051
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): logon name: not set
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[krb5_auth_queue_send] (0x1000): Wait queue of user [***@sd-stc.cz]
is empty, running request [0x755710] immediately.
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [get_server_status]
(0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working'
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [get_port_status]
(0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is
'working'
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6
seconds
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [get_server_status]
(0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working'
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[be_resolve_server_process] (0x0200): Found address for server
svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1200
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[ipa_resolve_callback] (0x0400): Constructed uri 'ldap://
svlxxipap.linuxdomain.cz'
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[unique_filename_destructor] (0x2000): Unlinking
[/var/lib/sss/pubconf/.krb5info_dummy_sLkk1j]
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [unlink_dbg]
(0x2000): File already removed:
[/var/lib/sss/pubconf/.krb5info_dummy_sLkk1j]
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup]
(0x2000): Setting up signal handler up for pid [20056]
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup]
(0x2000): Signal handler set up for pid [20056]
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.dataprovider.getDomains on path
/org/freedesktop/sssd/dataprovider
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [be_get_subdomains]
(0x0400): Got get subdomains [SD-STC]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server]
(0x2000): Searching 10.1.123.103
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[objectclass=ipaIDRange][cn=ranges,cn=etc,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSecondaryBaseRID]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaNTTrustedDomainSID]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaRangeType]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 13
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 13 timeout 6
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x179ad10], ldap[0x756770]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[cn=LINUXDOMAIN.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaBaseID]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaBaseRID]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSecondaryBaseRID]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaIDRangeSize]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaRangeType]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x179ad10], ldap[0x756770]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[cn=SD-STC.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaBaseID]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaBaseRID]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaIDRangeSize]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaNTTrustedDomainSID]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaRangeType]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x179ad10], ldap[0x756770]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 13 finished
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server]
(0x2000): Searching 10.1.123.103
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[objectclass=ipaNTTrustedDomain][cn=trusts,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaNTTrustedDomainSID]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaNTTrustDirection]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 14 timeout 6
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7129e0], ldap[0x756770]
(Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7129e0], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN: [cn=sd-stc.cz,cn=ad,cn=trusts,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaNTFlatName]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaNTTrustedDomainSID]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaNTTrustDirection]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7129e0], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 14 finished
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[ipa_subdom_is_member_dom] (0x0400): 4th component is not 'trust', not a
member domain
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[ipa_subdom_get_forest] (0x2000): The forest name is sd-stc.cz
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [ipa_subdom_store]
(0x0200): Trust direction of sd-stc.cz is trust direction not set
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_deref_search_with_filter_send] (0x2000): Server supports OpenLDAP
deref
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_x_deref_search_send] (0x0400): Dereferencing entry
[cn=accounts,dc=linuxdomain,dc=cz] using OpenLDAP deref
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server]
(0x2000): Searching 10.1.123.103
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectClass=ipaHost)(fqdn=zp-cml-test.linuxdomain.cz
))][cn=accounts,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 15 timeout 6
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x775c00], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x775c00], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_x_deref_parse_entry] (0x0400): Got deref control
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_x_deref_parse_entry] (0x0400): All deref results from a single
control parsed
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x775c00], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x2000): Total count [0]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 15 finished
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[ipa_get_view_name_done] (0x0400): No view found, using default.
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[ipa_get_view_name_done] (0x0400): Found view name [default].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[get_subdomains_callback] (0x0400): Backend returned: (0, 0, <NULL>)
[Success]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[(nil)], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler]
(0x1000): Waiting for child [20056].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler]
(0x0100): child [20056] finished successfully.
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[parse_krb5_child_response] (0x1000): child response [0][3][45].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[parse_krb5_child_response] (0x1000): child response [0][-1073741822][24].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[parse_krb5_child_response] (0x1000): child response [0][-1073741823][32].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[parse_krb5_child_response] (0x1000): TGT times are
[1468482837][1468482837][1468518837][1468569237].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[parse_krb5_child_response] (0x1000): child response [0][6][8].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status]
(0x0100): Marking port 0 of server 'svlxxipap.linuxdomain.cz' as 'working'
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[set_server_common_status] (0x0100): Marking server '
svlxxipap.linuxdomain.cz' as 'working'
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status]
(0x0400): Marking port 0 of duplicate server 'svlxxipap.linuxdomain.cz' as
'working'
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue]
(0x1000): Wait queue for user [***@sd-stc.cz] is empty.
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x755710] done.
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.dataprovider.pamHandler on path
/org/freedesktop/sssd/dataprovider
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain]
(0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler]
(0x0100): Got request with the following data
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): command: SSS_PAM_ACCT_MGMT
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): domain: sd-stc.cz
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): user: ***@sd-stc.cz
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): service: sudo
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): tty: /dev/pts/0
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): ruser: ***@sd-stc.cz
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): rhost:
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): authtok type: 0
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): priv: 0
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): cli_pid: 20051
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data]
(0x0100): logon name: not set
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_access_send]
(0x0400): Performing access check for user [***@sd-stc.cz]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user
[***@sd-stc.cz]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_account_expired] (0x0400): IPA access control succeeded, checking AD
access control
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_account_expired_ad] (0x0400): Performing AD access check for user [
***@sd-stc.cz]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server]
(0x2000): Searching 10.1.123.103
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectClass=ipaHost)(fqdn=zp-cml-test.linuxdomain.cz
))][cn=accounts,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 16
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 16 timeout 60
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7680b0], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN: [fqdn=zp-cml-test.linuxdomain.cz
,cn=computers,cn=accounts,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [fqdn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [serverHostname]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSshPubKey]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaUniqueID]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7680b0], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x2000): Total count [0]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 16 finished
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn=
zp-cml-test.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]
using OpenLDAP deref
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server]
(0x2000): Searching 10.1.123.103
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because
scope is set to base.
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no
filter][fqdn=zp-cml-test.linuxdomain.cz
,cn=computers,cn=accounts,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 17
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 17 timeout 60
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7680b0], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7680b0], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_x_deref_parse_entry] (0x0400): Got deref control
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref]
(0x1000): Dereferenced DN:
ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref]
(0x1000): Dereferenced DN:
ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_x_deref_parse_entry] (0x0400): All deref results from a single
control parsed
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7680b0], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x2000): Total count [0]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 17 finished
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[ipa_hbac_service_info_next] (0x0400): Sending request for next search
base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACService)]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server]
(0x2000): Searching 10.1.123.103
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectClass=ipaHBACService)][cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 18
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 18 timeout 60
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[cn=sshd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN: [cn=ftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN: [cn=su,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[cn=login,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[cn=su-l,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[cn=sudo,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[cn=sudo-i,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN: [cn=gdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[cn=gdm-password,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN: [cn=kdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[cn=crond,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[cn=vsftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[cn=proftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[cn=gssftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x2000): Total count [0]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 18 finished
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search
base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACServiceGroup)]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server]
(0x2000): Searching 10.1.123.103
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 19
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 19 timeout 60
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[cn=Sudo,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [member]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[cn=ftp,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [member]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x2000): Total count [0]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 19 finished
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[ipa_hbac_rule_info_next] (0x0400): Sending request for next search base:
[cn=hbac,dc=linuxdomain,dc=cz][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn=
zp-cml-test.linuxdomain.cz
,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server]
(0x2000): Searching 10.1.123.103
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn=
zp-cml-test.linuxdomain.cz
,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))][cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 20
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 20 timeout 60
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x754780], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x754780], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectclass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipauniqueid]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaenabledflag]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [accessRuleType]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberUser]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberService]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberHost]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x754780], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x2000): Total count [0]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 20 finished
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_attrs_to_rule]
(0x1000): Processing rule [Unixari na test servery]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_user_attrs_to_rule] (0x1000): Processing users for rule [Unixari na
test servery]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users]
(0x2000): Search users with filter:
(&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users]
(0x2000): No such entry
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_groups]
(0x2000): Search groups with filter:
(&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_user_attrs_to_rule] (0x2000): Added POSIX group [grpunixadmins] to
rule [Unixari na test servery]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule
[Unixari na test servery]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule
[Unixari na test servery]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule
[Unixari na test servery]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sudo] to rule
[Unixari na test servery]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sudo-i] to rule
[Unixari na test servery]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule [Unixari
na test servery]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule
[Unixari na test servery]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule
[Unixari na test servery]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_host_attrs_to_rule] (0x1000):
[fqdn=spcss-2t-www.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]
does not map to either a host or hostgroup. Skipping
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_host_attrs_to_rule] (0x2000): Added host [zp-cml-test.linuxdomain.cz]
to rule [Unixari na test servery]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule
[Unixari na test servery]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_eval_user_element] (0x1000): [8] groups for [***@sd-stc.cz]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_eval_user_element] (0x2000): Skipping non-group memberOf
[CN=wifi,CN=Users,DC=sd-stc,DC=cz]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_eval_user_element] (0x2000): Skipping non-group memberOf
[CN=UnixAdmins,CN=Users,DC=sd-stc,DC=cz]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_eval_user_element] (0x2000): Skipping non-group memberOf
[CN=administrator_Storage_DG,CN=Users,DC=sd-stc,DC=cz]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_eval_user_element] (0x2000): Skipping non-group memberOf
[CN=mfcr_MFG,CN=Users,DC=sd-stc,DC=cz]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_eval_user_element] (0x2000): Skipping non-group memberOf
[CN=ProvozSluzeb_DG,CN=Users,DC=sd-stc,DC=cz]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_eval_user_element] (0x2000): Skipping non-group memberOf
[CN=central_DG,CN=Users,DC=sd-stc,DC=cz]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_eval_user_element] (0x2000): Skipping non-group memberOf
[CN=bdcdocswriters,CN=Users,DC=sd-stc,DC=cz]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [
***@sd-stc.cz]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [Unixari na
test servery]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[(nil)], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[ipa_get_selinux_send] (0x2000): Connection status is [online].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server]
(0x2000): Searching 10.1.123.103
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaMigrationEnabled]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSELinuxUserMapDefault]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSELinuxUserMapOrder]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 21
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 21 timeout 60
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry]
(0x1000): OriginalDN: [cn=ipaConfig,cn=etc,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaMigrationEnabled]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSELinuxUserMapDefault]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSELinuxUserMapOrder]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 21 finished
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with
following parameters:
[2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server]
(0x2000): Searching 10.1.123.103
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [seeAlso]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUser]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaEnabledFlag]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 22
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add]
(0x2000): New operation 22 timeout 60
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7548e0], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7548e0], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_op_finished] (0x2000): Total count [0]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor]
(0x2000): Operation 22 finished
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found!
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup]
(0x2000): Setting up signal handler up for pid [20058]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup]
(0x2000): Signal handler set up for pid [20058]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x7516d0], connected[1], ops[(nil)], ldap[0x756770]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success)
[Success]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz]
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler]
(0x1000): Waiting for child [20058].
(Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler]
(0x0100): child [20058] finished successfully.

Thanks for trying to help guys.
Any idea what might be wrong?

Thanks

T.
Post by Lukas Slebodnik
Post by Danila Ladner
It has been running smoothly on 6.5
CentOS release 6.5 (Final)
sssd-client-1.12.4-47.el6.x86_64
sssd-ldap-1.12.4-47.el6.x86_64
sssd-ad-1.12.4-47.el6.x86_64
python-sssdconfig-1.12.4-47.el6.noarch
sssd-common-1.12.4-47.el6.x86_64
sssd-proxy-1.12.4-47.el6.x86_64
sssd-common-pac-1.12.4-47.el6.x86_64
sssd-krb5-1.12.4-47.el6.x86_64
sssd-ipa-1.12.4-47.el6.x86_64
sssd-krb5-common-1.12.4-47.el6.x86_64
sssd-1.12.4-47.el6.x86_64
+1 for latest sssd even on CentOS 6.5.
If you have a problem with 1.12 (from 6.7)
then we can look into log files.
Because there is a still a chance that oyu just hit
a bug in 1.11 which is solved in 1.12
If it will not work then please provide
sssd.conf + log files with high debug_level sssd_sudo.log
and sssd_$domain.log
LS
Lukas Slebodnik
2016-07-14 08:38:16 UTC
Permalink
Post by Tomas Simecek
Thanks all of you guys,
sssd-krb5-common-1.13.3-22.el6_8.4.x86_64
sssd-1.13.3-22.el6_8.4.x86_64
sssd-ldap-1.13.3-22.el6_8.4.x86_64
sssd-client-1.13.3-22.el6_8.4.x86_64
sssd-ad-1.13.3-22.el6_8.4.x86_64
sssd-proxy-1.13.3-22.el6_8.4.x86_64
libsss_idmap-1.13.3-22.el6_8.4.x86_64
sssd-common-1.13.3-22.el6_8.4.x86_64
sssd-ipa-1.13.3-22.el6_8.4.x86_64
python-sssdconfig-1.13.3-22.el6_8.4.noarch
sssd-krb5-1.13.3-22.el6_8.4.x86_64
sssd-common-pac-1.13.3-22.el6_8.4.x86_64
(there does not seem to be libsss_sudo in Centos as suggested by Danila).
and restarted sssd.
Rule name: Unixari na test servery
Enabled: TRUE
User Groups: grpunixadmins
Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
Services: login, sshd, sudo, sudo-i, su, su-l
Rule name: Pokusne
Enabled: TRUE
Command category: all
User Groups: grpunixadmins
Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
Default "all-access" rules are disabled.
When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I
reported.
It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz).
[domain/linuxdomain.cz]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linuxdomain.cz
id_provider = ipa
krb5_realm = LINUXDOMAIN.CZ
auth_provider = ipa
access_provider = ipa
ipa_hostname = zp-cml-test.linuxdomain.cz
chpass_provider = ipa
ipa_server = svlxxipap.linuxdomain.cz
ldap_tls_cacert = /etc/ipa/ca.crt
override_shell = /bin/bash
sudo_provider = ipa
ldap_uri = ldap://svlxxipap.linuxdomain.cz
ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
ldap_sasl_realm = LINUXDOMAIN.CZ
krb5_server = svlxxipap.linuxdomain.cz
debug_level = 0x3ff0
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = linuxdomain.cz
[nss]
homedir_substring = /home
[pam]
[sudo]
debug_level = 0x3ff0
[autofs]
[ssh]
[pac]
[ifp]
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))]
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
to get sudo rules from cache
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
)(sudoUser=+*)))]
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
Terminated client [0x260b690][17]
Received SBUS method org.freedesktop.sssd.service.ping on path
/org/freedesktop/sssd/service
Not a sysbus message, quit
Client connected!
Received client version [1].
Offered version [1].
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz]
Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
to get sudo rules from cache
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz]
Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
to get sudo rules from cache
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
Your user does not have any valid sudo rules.
It might be caused by wrong group membership.
Are you sure that user ***@sd-stc.cz is member of group grpunixadmins

BTW this is described in sudo troubleshooting wiki

https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

LS
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Tomas Simecek
2016-07-14 09:26:39 UTC
Permalink
Hi Lukas,
we have Active Directory group "UnixAdmins"
.
We have IPA external group ad_admins_external
<https://svlxxipap.linuxdomain.cz/ipa/ui/#ad_admins_external>, which has
Windows "UnixAdmins" group as a member.
We have local IPA group grpunixadmins
<https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>, which has
ad_admins_external group as a member.
So from that perspective user ***@sd-stc.cz is a member of
grpunixadmins <https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>.
That setup works for ssh logins and for sudo on Centos 7.0.

It is as per installation document
https://www.freeipa.org/page/Active_Directory_trust_setup

Correct me if I am wrong, but if it works on Client 1, it should also work
on Client 2.
<https://svlxxipap.linuxdomain.cz/ipa/ui/#ad_admins_external>

T.
Post by Tomas Simecek
Post by Tomas Simecek
Thanks all of you guys,
sssd-krb5-common-1.13.3-22.el6_8.4.x86_64
sssd-1.13.3-22.el6_8.4.x86_64
sssd-ldap-1.13.3-22.el6_8.4.x86_64
sssd-client-1.13.3-22.el6_8.4.x86_64
sssd-ad-1.13.3-22.el6_8.4.x86_64
sssd-proxy-1.13.3-22.el6_8.4.x86_64
libsss_idmap-1.13.3-22.el6_8.4.x86_64
sssd-common-1.13.3-22.el6_8.4.x86_64
sssd-ipa-1.13.3-22.el6_8.4.x86_64
python-sssdconfig-1.13.3-22.el6_8.4.noarch
sssd-krb5-1.13.3-22.el6_8.4.x86_64
sssd-common-pac-1.13.3-22.el6_8.4.x86_64
(there does not seem to be libsss_sudo in Centos as suggested by Danila).
and restarted sssd.
Rule name: Unixari na test servery
Enabled: TRUE
User Groups: grpunixadmins
Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
Services: login, sshd, sudo, sudo-i, su, su-l
Rule name: Pokusne
Enabled: TRUE
Command category: all
User Groups: grpunixadmins
Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
Default "all-access" rules are disabled.
When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I
be
Post by Tomas Simecek
reported.
It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz).
[domain/linuxdomain.cz]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linuxdomain.cz
id_provider = ipa
krb5_realm = LINUXDOMAIN.CZ
auth_provider = ipa
access_provider = ipa
ipa_hostname = zp-cml-test.linuxdomain.cz
chpass_provider = ipa
ipa_server = svlxxipap.linuxdomain.cz
ldap_tls_cacert = /etc/ipa/ca.crt
override_shell = /bin/bash
sudo_provider = ipa
ldap_uri = ldap://svlxxipap.linuxdomain.cz
ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
ldap_sasl_realm = LINUXDOMAIN.CZ
krb5_server = svlxxipap.linuxdomain.cz
debug_level = 0x3ff0
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = linuxdomain.cz
[nss]
homedir_substring = /home
[pam]
[sudo]
debug_level = 0x3ff0
[autofs]
[ssh]
[pac]
[ifp]
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))]
About
Post by Tomas Simecek
to get sudo rules from cache
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=
)(sudoUser=+*)))]
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
Terminated client [0x260b690][17]
Received SBUS method org.freedesktop.sssd.service.ping on path
/org/freedesktop/sssd/service
(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_get_sender_id_send]
Not a sysbus message, quit
Client connected!
Received client version [1].
Offered version [1].
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz]
Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))]
About
Post by Tomas Simecek
to get sudo rules from cache
(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(name=defaults)))]
Post by Tomas Simecek
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz]
Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))]
About
Post by Tomas Simecek
to get sudo rules from cache
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
Your user does not have any valid sudo rules.
It might be caused by wrong group membership.
BTW this is described in sudo troubleshooting wiki
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
LS
Lukas Slebodnik
2016-07-14 10:21:38 UTC
Permalink
Post by Tomas Simecek
Hi Lukas,
we have Active Directory group "UnixAdmins"
.
We have IPA external group ad_admins_external
<https://svlxxipap.linuxdomain.cz/ipa/ui/#ad_admins_external>, which has
Windows "UnixAdmins" group as a member.
We have local IPA group grpunixadmins
<https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>, which has
ad_admins_external group as a member.
grpunixadmins <https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>.
That setup works for ssh logins and for sudo on Centos 7.0.
If user is member of group in IPA it does not mean that
it's properly propagated to client :-)

I can see few errors in log
Post by Tomas Simecek
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
object](32)[ldb_wait: No such object (32)]
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_update_members_ex] (0x0020): Could not add member [
,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[ipa_s2n_save_objects] (0x2000): Updating memberships for
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
object](32)[ldb_wait: No such object (32)]
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_update_members_ex] (0x0020): Could not add member [
,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.
Please test with id ***@sd-stc.cz.
I'm preatty sure that you will not see a group grpunixadmins.

BTW according to domain logs it looks like a bug with extop plugin
on freeipa server. I assume that ipa server is on CentOS 7.0
because you mention it works on Centos 7.0.

I would strongly recommend to upgrade server to 7.2

LS
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Tomas Simecek
2016-07-14 10:43:10 UTC
Permalink
Thanks Lukas,
to be honest I am not sure what do you mean by "Please test with id
***@sd-stc.cz."
It is the user I am testing with all the time.

Here is what I see on client where sudo does not work:
[***@sd-***@zp-cml-test ~]$ id
uid=988604700(***@sd-stc.cz) gid=988604700(***@sd-stc.cz)
groups=988604700(***@sd-stc.cz),431200004(grpunixadmins),988600513(domain
***@sd-stc.cz),988604182(***@sd-stc.cz),988604754(***@sd-stc.cz
),988604825(***@sd-stc.cz),988604833(***@sd-stc.cz)

You can see Centos 6.6 client knows about all the groups assigned to the
users, incl. AD groups (unixadmins), which seems funny to me.

You are right, IPA server is Centos 7.0 and functional client is Centos 7.0
as well. Both login and sudo work on client with Centos 7.0.
Rules on IPA server are set to work on both clients, but work only on 7.0.
If I run update on server, it would update ipa-server from v.
4.2.0-15.0.1.el7.centos.6.1 to v. 4.2.0-15.0.1.el7.centos.17.

Does it make sense now?

Thanks

T.
Post by Lukas Slebodnik
Post by Tomas Simecek
Hi Lukas,
we have Active Directory group "UnixAdmins"
.
We have IPA external group ad_admins_external
<https://svlxxipap.linuxdomain.cz/ipa/ui/#ad_admins_external>, which has
Windows "UnixAdmins" group as a member.
We have local IPA group grpunixadmins
<https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>, which has
ad_admins_external group as a member.
grpunixadmins <https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>.
That setup works for ssh logins and for sudo on Centos 7.0.
If user is member of group in IPA it does not mean that
it's properly propagated to client :-)
I can see few errors in log
Post by Tomas Simecek
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
object](32)[ldb_wait: No such object (32)]
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_update_members_ex] (0x0020): Could not add member [
,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[ipa_s2n_save_objects] (0x2000): Updating memberships for
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
object](32)[ldb_wait: No such object (32)]
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
[sysdb_update_members_ex] (0x0020): Could not add member [
,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.
I'm preatty sure that you will not see a group grpunixadmins.
BTW according to domain logs it looks like a bug with extop plugin
on freeipa server. I assume that ipa server is on CentOS 7.0
because you mention it works on Centos 7.0.
I would strongly recommend to upgrade server to 7.2
LS
Lukas Slebodnik
2016-07-14 10:49:44 UTC
Permalink
Post by Tomas Simecek
Thanks Lukas,
to be honest I am not sure what do you mean by "Please test with id
It is the user I am testing with all the time.
hmm, the user is member of grpunixadmins. Then I wonder why sssd could not find
a sudo rules for the user.

I would like to see full log file + dump of sssd cache.
Please:
* clean cache and log files on client
rm -f /var/lib/sss/db/* /var/log/sssd/*
* enable debug_level=9 in domain section and sudo
* restart sssd
* authernticate with ***@sd-stc.cz
* try sudo.
* send all sssd log files
* provide dump of sssd cache
ldbsearch -H /var/lib/sss/db/cache_$domain.ldb
(utility ldbsearch is part of package ldb-tools

LS
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Tomas Simecek
2016-07-14 11:06:05 UTC
Permalink
Hi Lukas,
I did as you said.
Logs are attached to this mail.

Thanks for helping.

T.
Post by Tomas Simecek
Post by Tomas Simecek
Thanks Lukas,
to be honest I am not sure what do you mean by "Please test with id
It is the user I am testing with all the time.
),431200004(grpunixadmins),988600513(domain
hmm, the user is member of grpunixadmins. Then I wonder why sssd could not find
a sudo rules for the user.
I would like to see full log file + dump of sssd cache.
* clean cache and log files on client
rm -f /var/lib/sss/db/* /var/log/sssd/*
* enable debug_level=9 in domain section and sudo
* restart sssd
* try sudo.
* send all sssd log files
* provide dump of sssd cache
ldbsearch -H /var/lib/sss/db/cache_$domain.ldb
(utility ldbsearch is part of package ldb-tools
LS
Lukas Slebodnik
2016-07-14 11:32:45 UTC
Permalink
Post by Tomas Simecek
Hi Lukas,
I did as you said.
Logs are attached to this mail.
Thank you very much for provided data.

The main problem is that full refresh of sudo rules did not store any rules.

It might be caused by following errors which might be caused by issues
with old buggy IPA server on CentOS 7.0

[ipa_s2n_save_objects] (0x2000): Updating memberships for ***@sd-stc.cz
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
[sysdb_update_members_ex] (0x0020): Could not add member [***@sd-stc.cz] to group [name=***@sd-stc.cz,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
[sysdb_update_members_ex] (0x0020): Could not add member [***@sd-stc.cz] to group [name=***@sd-stc.cz,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.

Attached is a reduced log.

You might try new feature in sssd-1.13 on el6 which will
avoid using compat tree for sudo.

Try to change ldap_sudo_search_base from
ou=sudoers,dc=linuxdomain,dc=cz -> cn=sudo,dc=linuxdomain,dc=cz

It does not mean that it will solve issue with extop plugin
on IPA server (ipa_s2n_save_objects)

If it does not help then please provide the same data as in previous mail.
BTW I strogly suspect issues on IPA server on CentOS 7.0.
It might work on CentOS 7.0 client only by chance.

LS
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Tomas Simecek
2016-07-14 11:52:05 UTC
Permalink
Hi Lukas,
sorry to say, but nothing helps.

I have just updated IPA server, so that now it is:
[***@svlxxipap ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)

with:
[***@svlxxipap ~]# rpm -qa|grep ipa
ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.17.x86_64
libipa_hbac-1.13.0-40.el7_2.9.x86_64
ipa-python-4.2.0-15.0.1.el7.centos.17.x86_64
ipa-server-dns-4.2.0-15.0.1.el7.centos.17.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64
sssd-ipa-1.13.0-40.el7_2.9.x86_64
ipa-admintools-4.2.0-15.0.1.el7.centos.17.x86_64
python-libipa_hbac-1.13.0-40.el7_2.9.x86_64
ipa-client-4.2.0-15.0.1.el7.centos.17.x86_64

I have also changed sudoers to sudo in sssd.conf as you suggested and
restarted sssd.
No difference, still:
[***@sd-***@zp-cml-test ~]$ sudo service sshd restart
[sudo] password for ***@sd-stc.cz:
***@sd-stc.cz is not in the sudoers file. This incident will be
reported.

I guess I will pilot some more IPA clients to make sure it works reliably
and if yes, I guess we will be able to live with the fact that older
Linuxes doe not offer sudo to AD clients.

Or do you think there is something more to try?

Thanks

T.
Post by Lukas Slebodnik
Post by Tomas Simecek
Hi Lukas,
I did as you said.
Logs are attached to this mail.
Thank you very much for provided data.
The main problem is that full refresh of sudo rules did not store any rules.
It might be caused by following errors which might be caused by issues
with old buggy IPA server on CentOS 7.0
[ipa_s2n_save_objects] (0x2000): Updating memberships for
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
object](32)[ldb_wait: No such object (32)]
[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
[sysdb_update_members_ex] (0x0020): Could not add member [
sd-stc.cz,cn=sysdb]. Skipping.
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
object](32)[ldb_wait: No such object (32)]
[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
[sysdb_update_members_ex] (0x0020): Could not add member [
sd-stc.cz,cn=sysdb]. Skipping.
Attached is a reduced log.
You might try new feature in sssd-1.13 on el6 which will
avoid using compat tree for sudo.
Try to change ldap_sudo_search_base from
ou=sudoers,dc=linuxdomain,dc=cz -> cn=sudo,dc=linuxdomain,dc=cz
It does not mean that it will solve issue with extop plugin
on IPA server (ipa_s2n_save_objects)
If it does not help then please provide the same data as in previous mail.
BTW I strogly suspect issues on IPA server on CentOS 7.0.
It might work on CentOS 7.0 client only by chance.
LS
Lukas Slebodnik
2016-07-14 16:42:49 UTC
Permalink
Post by Tomas Simecek
Hi Lukas,
sorry to say, but nothing helps.
CentOS Linux release 7.2.1511 (Core)
ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.17.x86_64
libipa_hbac-1.13.0-40.el7_2.9.x86_64
ipa-python-4.2.0-15.0.1.el7.centos.17.x86_64
ipa-server-dns-4.2.0-15.0.1.el7.centos.17.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64
sssd-ipa-1.13.0-40.el7_2.9.x86_64
ipa-admintools-4.2.0-15.0.1.el7.centos.17.x86_64
python-libipa_hbac-1.13.0-40.el7_2.9.x86_64
ipa-client-4.2.0-15.0.1.el7.centos.17.x86_64
It has to work with IPA on CentOS 7.2
and sssd-1.13.3-22.el6_8.4 on client.
Post by Tomas Simecek
I have also changed sudoers to sudo in sssd.conf as you suggested and
restarted sssd.
reported.
I guess I will pilot some more IPA clients to make sure it works reliably
and if yes, I guess we will be able to live with the fact that older
Linuxes doe not offer sudo to AD clients.
I assume you meant AD users from trust.

But previously, you provided data and user was member of group which
should be alowed to use sudo rules.

I would like to find out why sudo rules were not fetched from IPA.

I would like to see full log file + dump of sssd cache.
Please:
* clean cache and log files on *IPA server*
rm -f /var/lib/sss/db/* /var/log/sssd/*
* enable debug_level=9 in domain section and sudo
* restart sssd on *IPA server*

* clean cache and log files on *IPA client*
rm -f /var/lib/sss/db/* /var/log/sssd/*
* enable debug_level=9 in domain section and sudo
* restart sssd *IPA client*


* authernticate with user ***@sd-stc.cz
* call id ***@sd-stc.cz
* try sudo.

* send all sssd log files + sssd.conf
* provide dump of sssd cache
ldbsearch -H /var/lib/sss/db/cache_$domain.ldb
(utility ldbsearch is part of package ldb-tools


Please provide log files, sssd.conf and dump of sssd cache
from client and also from IPA server.

Thank you very much for patience.

LS
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Tomas Simecek
2016-07-14 17:32:34 UTC
Permalink
Hi Lukas,
thanks, I see you're really trying to help.
Log files are attached.
Post by Lukas Slebodnik
Post by Tomas Simecek
Hi Lukas,
sorry to say, but nothing helps.
CentOS Linux release 7.2.1511 (Core)
ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.17.x86_64
libipa_hbac-1.13.0-40.el7_2.9.x86_64
ipa-python-4.2.0-15.0.1.el7.centos.17.x86_64
ipa-server-dns-4.2.0-15.0.1.el7.centos.17.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64
sssd-ipa-1.13.0-40.el7_2.9.x86_64
ipa-admintools-4.2.0-15.0.1.el7.centos.17.x86_64
python-libipa_hbac-1.13.0-40.el7_2.9.x86_64
ipa-client-4.2.0-15.0.1.el7.centos.17.x86_64
It has to work with IPA on CentOS 7.2
and sssd-1.13.3-22.el6_8.4 on client.
Post by Tomas Simecek
I have also changed sudoers to sudo in sssd.conf as you suggested and
restarted sssd.
be
Post by Tomas Simecek
reported.
I guess I will pilot some more IPA clients to make sure it works reliably
and if yes, I guess we will be able to live with the fact that older
Linuxes doe not offer sudo to AD clients.
I assume you meant AD users from trust.
But previously, you provided data and user was member of group which
should be alowed to use sudo rules.
I would like to find out why sudo rules were not fetched from IPA.
I would like to see full log file + dump of sssd cache.
* clean cache and log files on *IPA server*
rm -f /var/lib/sss/db/* /var/log/sssd/*
* enable debug_level=9 in domain section and sudo
* restart sssd on *IPA server*
* clean cache and log files on *IPA client*
rm -f /var/lib/sss/db/* /var/log/sssd/*
* enable debug_level=9 in domain section and sudo
* restart sssd *IPA client*
* try sudo.
* send all sssd log files + sssd.conf
* provide dump of sssd cache
ldbsearch -H /var/lib/sss/db/cache_$domain.ldb
(utility ldbsearch is part of package ldb-tools
Please provide log files, sssd.conf and dump of sssd cache
from client and also from IPA server.
Thank you very much for patience.
LS
Rob Verduijn
2016-07-14 09:51:43 UTC
Permalink
hi,

just a long shot here..

I've been battling sudo for a couple days now and found that my issue was
one related to symlinks
on centos7 'which cat' says /bin/cat
but on centos /bin is a symlink to /usr/bin and sudo knows a symlink when
it sees one and to prevent abuse it requires the 'real' path for the sudo
rule : <user> ALL=(ALL) /usr/bin/cat
on centos6 which cat also says /bin/cat but since /bin is not a symlink it
requires the sudo rule to be <user> ALL=(ALL) /bin/cat
so for the sudo to work on both centos6 and centos7 you would require 2
sudo rules.

Ignore me if this is irrelevant.

Just my 2 cents
Rob
Post by Tomas Simecek
Post by Tomas Simecek
Thanks all of you guys,
sssd-krb5-common-1.13.3-22.el6_8.4.x86_64
sssd-1.13.3-22.el6_8.4.x86_64
sssd-ldap-1.13.3-22.el6_8.4.x86_64
sssd-client-1.13.3-22.el6_8.4.x86_64
sssd-ad-1.13.3-22.el6_8.4.x86_64
sssd-proxy-1.13.3-22.el6_8.4.x86_64
libsss_idmap-1.13.3-22.el6_8.4.x86_64
sssd-common-1.13.3-22.el6_8.4.x86_64
sssd-ipa-1.13.3-22.el6_8.4.x86_64
python-sssdconfig-1.13.3-22.el6_8.4.noarch
sssd-krb5-1.13.3-22.el6_8.4.x86_64
sssd-common-pac-1.13.3-22.el6_8.4.x86_64
(there does not seem to be libsss_sudo in Centos as suggested by Danila).
and restarted sssd.
Rule name: Unixari na test servery
Enabled: TRUE
User Groups: grpunixadmins
Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
Services: login, sshd, sudo, sudo-i, su, su-l
Rule name: Pokusne
Enabled: TRUE
Command category: all
User Groups: grpunixadmins
Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
Default "all-access" rules are disabled.
When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I
be
Post by Tomas Simecek
reported.
It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz).
[domain/linuxdomain.cz]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linuxdomain.cz
id_provider = ipa
krb5_realm = LINUXDOMAIN.CZ
auth_provider = ipa
access_provider = ipa
ipa_hostname = zp-cml-test.linuxdomain.cz
chpass_provider = ipa
ipa_server = svlxxipap.linuxdomain.cz
ldap_tls_cacert = /etc/ipa/ca.crt
override_shell = /bin/bash
sudo_provider = ipa
ldap_uri = ldap://svlxxipap.linuxdomain.cz
ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
ldap_sasl_realm = LINUXDOMAIN.CZ
krb5_server = svlxxipap.linuxdomain.cz
debug_level = 0x3ff0
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = linuxdomain.cz
[nss]
homedir_substring = /home
[pam]
[sudo]
debug_level = 0x3ff0
[autofs]
[ssh]
[pac]
[ifp]
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))]
About
Post by Tomas Simecek
to get sudo rules from cache
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=
)(sudoUser=+*)))]
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
Terminated client [0x260b690][17]
Received SBUS method org.freedesktop.sssd.service.ping on path
/org/freedesktop/sssd/service
(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_get_sender_id_send]
Not a sysbus message, quit
Client connected!
Received client version [1].
Offered version [1].
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz]
Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))]
About
Post by Tomas Simecek
to get sudo rules from cache
(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(name=defaults)))]
Post by Tomas Simecek
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz]
Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))]
About
Post by Tomas Simecek
to get sudo rules from cache
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
Your user does not have any valid sudo rules.
It might be caused by wrong group membership.
BTW this is described in sudo troubleshooting wiki
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
LS
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Tomas Simecek
2016-07-14 10:02:59 UTC
Permalink
Hi Rob,
thanks, but this is not the case.
Firstly, for initial test purposes I am not limiting sudo to specific
commands, in the rule it is set to "any".
Secondly, it fails even in non-symlink cases:

[***@zp-cml-test ~]# which service
/sbin/service
[***@zp-cml-test ~]# ll /sbin/service
-rwxr-xr-x. 1 root root 1694 Oct 16 2014 /sbin/service
[***@zp-cml-test ~]# logout
[***@sd-***@zp-cml-test ~]$ sudo service sshd restart
[sudo] password for ***@sd-stc.cz:
***@sd-stc.cz is not in the sudoers file. This incident will be
reported.

Thanks anyway, let me know if something else comes to your mind.

Tomas
Post by Rob Verduijn
hi,
just a long shot here..
I've been battling sudo for a couple days now and found that my issue was
one related to symlinks
on centos7 'which cat' says /bin/cat
but on centos /bin is a symlink to /usr/bin and sudo knows a symlink when
it sees one and to prevent abuse it requires the 'real' path for the sudo
rule : <user> ALL=(ALL) /usr/bin/cat
on centos6 which cat also says /bin/cat but since /bin is not a symlink it
requires the sudo rule to be <user> ALL=(ALL) /bin/cat
so for the sudo to work on both centos6 and centos7 you would require 2
sudo rules.
Ignore me if this is irrelevant.
Just my 2 cents
Rob
Post by Tomas Simecek
Post by Tomas Simecek
Thanks all of you guys,
sssd-krb5-common-1.13.3-22.el6_8.4.x86_64
sssd-1.13.3-22.el6_8.4.x86_64
sssd-ldap-1.13.3-22.el6_8.4.x86_64
sssd-client-1.13.3-22.el6_8.4.x86_64
sssd-ad-1.13.3-22.el6_8.4.x86_64
sssd-proxy-1.13.3-22.el6_8.4.x86_64
libsss_idmap-1.13.3-22.el6_8.4.x86_64
sssd-common-1.13.3-22.el6_8.4.x86_64
sssd-ipa-1.13.3-22.el6_8.4.x86_64
python-sssdconfig-1.13.3-22.el6_8.4.noarch
sssd-krb5-1.13.3-22.el6_8.4.x86_64
sssd-common-pac-1.13.3-22.el6_8.4.x86_64
(there does not seem to be libsss_sudo in Centos as suggested by Danila).
and restarted sssd.
Rule name: Unixari na test servery
Enabled: TRUE
User Groups: grpunixadmins
Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
Services: login, sshd, sudo, sudo-i, su, su-l
Rule name: Pokusne
Enabled: TRUE
Command category: all
User Groups: grpunixadmins
Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
Default "all-access" rules are disabled.
When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I
be
Post by Tomas Simecek
reported.
It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz).
[domain/linuxdomain.cz]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linuxdomain.cz
id_provider = ipa
krb5_realm = LINUXDOMAIN.CZ
auth_provider = ipa
access_provider = ipa
ipa_hostname = zp-cml-test.linuxdomain.cz
chpass_provider = ipa
ipa_server = svlxxipap.linuxdomain.cz
ldap_tls_cacert = /etc/ipa/ca.crt
override_shell = /bin/bash
sudo_provider = ipa
ldap_uri = ldap://svlxxipap.linuxdomain.cz
ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
ldap_sasl_realm = LINUXDOMAIN.CZ
krb5_server = svlxxipap.linuxdomain.cz
debug_level = 0x3ff0
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = linuxdomain.cz
[nss]
homedir_substring = /home
[pam]
[sudo]
debug_level = 0x3ff0
[autofs]
[ssh]
[pac]
[ifp]
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))]
About
Post by Tomas Simecek
to get sudo rules from cache
(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=
)(sudoUser=+*)))]
(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache]
Post by Tomas Simecek
(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
Terminated client [0x260b690][17]
Received SBUS method org.freedesktop.sssd.service.ping on path
/org/freedesktop/sssd/service
(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_get_sender_id_send]
Not a sysbus message, quit
Client connected!
Received client version [1].
Offered version [1].
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz
]
Post by Tomas Simecek
Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas]
]
Post by Tomas Simecek
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))]
About
Post by Tomas Simecek
to get sudo rules from cache
(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(name=defaults)))]
Post by Tomas Simecek
(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache]
Post by Tomas Simecek
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains]
sd-stc.cz', user is simecek.tomas
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz]
Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas]
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))]
About
Post by Tomas Simecek
to get sudo rules from cache
(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache]
Post by Tomas Simecek
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=
(Thu Jul 14 09:53:55 2016) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache]
Your user does not have any valid sudo rules.
It might be caused by wrong group membership.
BTW this is described in sudo troubleshooting wiki
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
LS
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Continue reading on narkive:
Loading...