Discussion:
sudo with freeIPA
(too old to reply)
Megan .
2014-08-25 10:51:27 UTC
Permalink
Good Morning,

I'm very new to freeIPA. I'm running centOS 6.5 with freeIPA v3

I have the freeIPA server up but i'm working on getting SUDO
configured. Currently i'm having problems getting sudo commands to
work on the client. I'm a bit unclear if i have everything configured
correctly. The only thing that I can figure out might be an issue, is
when i try the sudo command i see a filter search with
objectclass=sudoRule but when i check the ldap server it has
objectclass=sudoRole, so there are no results.

Any ideas? Thank you in advance for any advice.



[***@map1 ~]$ sudo /sbin/iptables -L
Enter RSA PIN+token:
tuser2 is not allowed to run sudo on map1. This incident will be reported.


CLIENT:

yum installed libsss_sudo

I added "nisdomainname dir1.server.example.com" to /etc/rc.d/rc.local

**still not sure what this is for **
Created a sudo user on ldap server
ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D "cn=Directory
Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com
**


[***@map1 sssd]# cat /etc/nsswitch.conf
#
passwd: files sss
shadow: files sss
group: files sss
sudoers: files sss
sudoers_debug: 1
#sudoers: files
hosts: files dns
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: files
automount: files ldap
aliases: files
[***@map1 sssd]#





[***@map1 sssd]# cat sssd.conf
[domain/server.example.com]

debug_level = 5
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = server.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = map1.server.example.com
chpass_provider = ipa
ipa_server = _srv_, dir1.server.example.com
ldap_netgroup_search_base = cn=ng,cn=compat,dc=server,dc=example,dc=com
ldap_tls_cacert = /etc/ipa/ca.crt

sudo_provider = ldap
ldap_uri = ldap://dir1.server.example.com
ldap_sudo_search_base = ou=sudoers,dc=server,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/dir1.server.example.com
ldap_sasl_realm = server.example.com
krb5_server = dir1.server.example.com

[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2

domains = server.example.com
[nss]

[pam]

[sudo]
debug_level=5

[autofs]

[ssh]

[pac]




from the sssd_sudo.log

(Mon Aug 25 10:36:31 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408962991)))]
(Mon Aug 25 10:36:31 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*)))]
(Mon Aug 25 10:36:33 2014) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!




[***@dir1 ~]# !ldaps
ldapsearch -h dir1.server.example.com -x -D "cn=Directory Manager" -W
-b "dc=server,dc=example,dc=com" 'objectclass=sudoRole'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=server,dc=example,dc=com> with scope subtree
# filter: objectclass=sudoRole
# requesting: ALL
#

# test, sudoers, server.example.com
dn: cn=test,ou=sudoers,dc=server,dc=example,dc=com
objectClass: sudoRole
sudoUser: megan2
sudoUser: tuser2
sudoHost: map1.server.example.com
sudoCommand: /sbin/iptables -L
sudoCommand: /home/tuser1/test.sh
sudoCommand: test2.sh
cn: test

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[***@dir1 ~]# ldapsearch -h dir1.server.example.com -x -D
"cn=Directory Manager" -W -b "dc=server,dc=example,dc=com"
'objectclass=sudoRule'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=server,dc=example,dc=com> with scope subtree
# filter: objectclass=sudoRule
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
Martin Kosek
2014-08-25 11:03:28 UTC
Permalink
Post by Megan .
Good Morning,
I'm very new to freeIPA.
Welcome on board!
Post by Megan .
I'm running centOS 6.5 with freeIPA v3
I have the freeIPA server up but i'm working on getting SUDO
configured. Currently i'm having problems getting sudo commands to
work on the client. I'm a bit unclear if i have everything configured
correctly. The only thing that I can figure out might be an issue, is
when i try the sudo command i see a filter search with
objectclass=sudoRule but when i check the ldap server it has
objectclass=sudoRole, so there are no results.
According to
http://www.sudo.ws/sudoers.ldap.man.html

the objectclass in the schema should really read "sudoRole" (I know, may be
confusing).
Post by Megan .
Any ideas? Thank you in advance for any advice.
Where do you see the filter?
Post by Megan .
tuser2 is not allowed to run sudo on map1. This incident will be reported.
yum installed libsss_sudo
I added "nisdomainname dir1.server.example.com" to /etc/rc.d/rc.local
**still not sure what this is for **
This is for setting the NIS domain permanently. sudo uses NIS domains when it
uses sudo rules with host groups instead of individual host names.
Post by Megan .
Created a sudo user on ldap server
ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D "cn=Directory
Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com
**
#
passwd: files sss
shadow: files sss
group: files sss
sudoers: files sss
sudoers_debug: 1
#sudoers: files
hosts: files dns
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: files
automount: files ldap
aliases: files
[domain/server.example.com]
debug_level = 5
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = server.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = map1.server.example.com
chpass_provider = ipa
ipa_server = _srv_, dir1.server.example.com
ldap_netgroup_search_base = cn=ng,cn=compat,dc=server,dc=example,dc=com
ldap_tls_cacert = /etc/ipa/ca.crt
sudo_provider = ldap
ldap_uri = ldap://dir1.server.example.com
ldap_sudo_search_base = ou=sudoers,dc=server,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/dir1.server.example.com
ldap_sasl_realm = server.example.com
krb5_server = dir1.server.example.com
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = server.example.com
[nss]
[pam]
[sudo]
debug_level=5
[autofs]
[ssh]
[pac]
from the sssd_sudo.log
(Mon Aug 25 10:36:31 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408962991)))]
(Mon Aug 25 10:36:31 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*)))]
(Mon Aug 25 10:36:33 2014) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
I do not understand why it searches with "sudorule" objectclass. According to
sssd-ldap man page, ldap_sudorule_object_class should default to "sudoRole".
Jakub or Pavel, any idea?
Post by Megan .
ldapsearch -h dir1.server.example.com -x -D "cn=Directory Manager" -W
-b "dc=server,dc=example,dc=com" 'objectclass=sudoRole'
# extended LDIF
#
# LDAPv3
# base <dc=server,dc=example,dc=com> with scope subtree
# filter: objectclass=sudoRole
# requesting: ALL
#
# test, sudoers, server.example.com
dn: cn=test,ou=sudoers,dc=server,dc=example,dc=com
objectClass: sudoRole
sudoUser: megan2
sudoUser: tuser2
sudoHost: map1.server.example.com
sudoCommand: /sbin/iptables -L
sudoCommand: /home/tuser1/test.sh
sudoCommand: test2.sh
cn: test
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
"cn=Directory Manager" -W -b "dc=server,dc=example,dc=com"
'objectclass=sudoRule'
# extended LDIF
#
# LDAPv3
# base <dc=server,dc=example,dc=com> with scope subtree
# filter: objectclass=sudoRule
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
I do not know the root cause, but Pavel or Jakub will be able to provide help.
BTW, FreeIPA 4.0+ enable SUDO via SSSD's sudo provider automatically
(https://fedorahosted.org/freeipa/ticket/3358). This functionality will be also
available in RHEL-6.6.

Martin
Alexander Bokovoy
2014-08-25 11:08:51 UTC
Permalink
Post by Martin Kosek
Post by Megan .
Good Morning,
I'm very new to freeIPA.
Welcome on board!
Post by Megan .
I'm running centOS 6.5 with freeIPA v3
I have the freeIPA server up but i'm working on getting SUDO
configured. Currently i'm having problems getting sudo commands to
work on the client. I'm a bit unclear if i have everything configured
correctly. The only thing that I can figure out might be an issue, is
when i try the sudo command i see a filter search with
objectclass=sudoRule but when i check the ldap server it has
objectclass=sudoRole, so there are no results.
According to
http://www.sudo.ws/sudoers.ldap.man.html
the objectclass in the schema should really read "sudoRole" (I know, may be
confusing).
Post by Megan .
Any ideas? Thank you in advance for any advice.
Where do you see the filter?
Post by Megan .
tuser2 is not allowed to run sudo on map1. This incident will be reported.
yum installed libsss_sudo
I added "nisdomainname dir1.server.example.com" to /etc/rc.d/rc.local
**still not sure what this is for **
This is for setting the NIS domain permanently. sudo uses NIS domains when it
uses sudo rules with host groups instead of individual host names.
Post by Megan .
Created a sudo user on ldap server
ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D "cn=Directory
Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com
**
#
passwd: files sss
shadow: files sss
group: files sss
sudoers: files sss
sudoers_debug: 1
#sudoers: files
hosts: files dns
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: files
automount: files ldap
aliases: files
[domain/server.example.com]
debug_level = 5
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = server.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = map1.server.example.com
chpass_provider = ipa
ipa_server = _srv_, dir1.server.example.com
ldap_netgroup_search_base = cn=ng,cn=compat,dc=server,dc=example,dc=com
ldap_tls_cacert = /etc/ipa/ca.crt
sudo_provider = ldap
ldap_uri = ldap://dir1.server.example.com
ldap_sudo_search_base = ou=sudoers,dc=server,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/dir1.server.example.com
ldap_sasl_realm = server.example.com
krb5_server = dir1.server.example.com
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = server.example.com
[nss]
[pam]
[sudo]
debug_level=5
[autofs]
[ssh]
[pac]
from the sssd_sudo.log
(Mon Aug 25 10:36:31 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408962991)))]
(Mon Aug 25 10:36:31 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*)))]
(Mon Aug 25 10:36:33 2014) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
I do not understand why it searches with "sudorule" objectclass. According to
sssd-ldap man page, ldap_sudorule_object_class should default to "sudoRole".
Jakub or Pavel, any idea?
It is a search against SSSD's local cache where the object class is
sudoRule. A correct entry for searching against LDAP server should be in the sss_<domain>.log
--
/ Alexander Bokovoy
Megan .
2014-08-25 12:02:02 UTC
Permalink
Below is the output from the sss_<domain>.log when i ran the sudo
command as the user. I see things about offline replies and LDAP not
working. Is this my problem or is this part of a normal series of
items that are tried?



(Mon Aug 25 11:53:23 2014) [sssd[be[server.example.com]]]
[be_get_account_info] (0x0100): Got request for
[4098][1][idnumber=1079600005]

(Mon Aug 25 11:53:23 2014) [sssd[be[server.example.com]]]
[be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast
reply - offline

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[be_get_account_info] (0x0100): Got request for [3][1][name=tuser2]

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[acctinfo_callback] (0x0100): Request processed. Returned 1,11,Offline

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[be_pam_handler] (0x0100): Got request with the following data

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): command: PAM_AUTHENTICATE

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): domain: server.example.com

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): user: tuser2

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): service: sudo

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): tty: /dev/pts/1

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): ruser: tuser2

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): rhost:

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): authtok type: 1

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): authtok size: 23

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): newauthtok type: 0

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): newauthtok size: 0

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): priv: 0

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): cli_pid: 17822

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[check_for_valid_tgt] (0x0080): TGT is valid.

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[resolve_srv_send] (0x0200): The status of SRV lookup is neutral

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[resolve_srv_cont] (0x0100): Searching for servers via SRV query
'_ldap._tcp.server.example.com'

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
'_ldap._tcp.server.example.com'

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as
'not working'

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as
'not resolved'

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV
lookup meta-server), resolver returned (5)

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[be_resolve_server_process] (0x0200): Found address for server
dir1.server.example.com: [10.10.26.148] TTL 7200

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[krb5_find_ccache_step] (0x0080): Saved ccache
FILE:/tmp/krb5cc_1079600005_Hfzpn4 if of different type than ccache in
configuration file, reusing the old ccache

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[sysdb_cache_auth] (0x0100): Hashes do match!

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (1, 9, <NULL>)
[Provider is Offline (Authentication service cannot retrieve
authentication info)]

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[be_pam_handler_callback] (0x0100): Sending result
[9][server.example.com]

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[be_pam_handler_callback] (0x0100): Sent result
[9][server.example.com]

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[be_pam_handler] (0x0100): Got request with the following data

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): command: PAM_ACCT_MGMT

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): domain: server.example.com

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): user: tuser2

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): service: sudo

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): tty: /dev/pts/1

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): ruser: tuser2

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): rhost:

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): authtok type: 0

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): authtok size: 0

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): newauthtok type: 0

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): newauthtok size: 0

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): priv: 0

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[pam_print_data] (0x0100): cli_pid: 17822

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[hbac_get_category] (0x0200): Category is set to 'all'.

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[hbac_get_category] (0x0200): Category is set to 'all'.

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[hbac_get_category] (0x0200): Category is set to 'all'.

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule
[allow_all]

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success)
[Success]

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[be_pam_handler_callback] (0x0100): Sending result
[0][server.example.com]

(Mon Aug 25 11:53:24 2014) [sssd[be[server.example.com]]]
[be_pam_handler_callback] (0x0100): Sent result
[0][server.example.com]

(Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'

(Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]]
[get_port_status] (0x0100): Reseting the status of port 389 for server
'dir1.server.example.com'

(Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]]
[be_resolve_server_process] (0x0200): Found address for server
dir1.server.example.com: [10.10.26.148] TTL 7200

(Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service
'KERBEROS'

(Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]]
[be_resolve_server_process] (0x0200): Found address for server
dir1.server.example.com: [10.10.26.148] TTL 7200

(Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]]
[child_sig_handler] (0x0100): child [17823] finished successfully.

(Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]]
[sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]

(Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]]
[fo_set_port_status] (0x0100): Marking port 389 of server
'dir1.server.example.com' as 'not working'

(Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'

(Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]]
[fo_resolve_service_send] (0x0020): No available servers for service
'LDAP'

(Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]]
[sdap_id_op_connect_done] (0x0020): Failed to connect, going offline
(5 [Input/output error])

(Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]]
[be_run_offline_cb] (0x0080): Going offline. Running callbacks.

(Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]]
[sdap_sudo_periodical_first_refresh_done] (0x0040): Periodical full
refresh of sudo rules failed [dp_error: 1] ([11]: Resource temporarily
unavailable)

(Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]]
[remove_krb5_info_files] (0x0200): Could not remove
[/var/lib/sss/pubconf/kpasswdinfo.server.example.com], [2][No such
file or directory]

(Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]]
[remove_krb5_info_files] (0x0200): Could not remove
[/var/lib/sss/pubconf/kdcinfo.server.example.com], [2][No such file or
directory]

(Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]]
[remove_krb5_info_files] (0x0200): Could not remove
[/var/lib/sss/pubconf/kpasswdinfo.server.example.com], [2][No such
file or directory]
Post by Alexander Bokovoy
Post by Martin Kosek
Post by Megan .
Good Morning,
I'm very new to freeIPA.
Welcome on board!
Post by Megan .
I'm running centOS 6.5 with freeIPA v3
I have the freeIPA server up but i'm working on getting SUDO
configured. Currently i'm having problems getting sudo commands to
work on the client. I'm a bit unclear if i have everything configured
correctly. The only thing that I can figure out might be an issue, is
when i try the sudo command i see a filter search with
objectclass=sudoRule but when i check the ldap server it has
objectclass=sudoRole, so there are no results.
According to
http://www.sudo.ws/sudoers.ldap.man.html
the objectclass in the schema should really read "sudoRole" (I know, may be
confusing).
Post by Megan .
Any ideas? Thank you in advance for any advice.
Where do you see the filter?
Post by Megan .
tuser2 is not allowed to run sudo on map1. This incident will be reported.
yum installed libsss_sudo
I added "nisdomainname dir1.server.example.com" to /etc/rc.d/rc.local
**still not sure what this is for **
This is for setting the NIS domain permanently. sudo uses NIS domains when it
uses sudo rules with host groups instead of individual host names.
Post by Megan .
Created a sudo user on ldap server
ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D "cn=Directory
Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com
**
#
passwd: files sss
shadow: files sss
group: files sss
sudoers: files sss
sudoers_debug: 1
#sudoers: files
hosts: files dns
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: files
automount: files ldap
aliases: files
[domain/server.example.com]
debug_level = 5
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = server.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = map1.server.example.com
chpass_provider = ipa
ipa_server = _srv_, dir1.server.example.com
ldap_netgroup_search_base = cn=ng,cn=compat,dc=server,dc=example,dc=com
ldap_tls_cacert = /etc/ipa/ca.crt
sudo_provider = ldap
ldap_uri = ldap://dir1.server.example.com
ldap_sudo_search_base = ou=sudoers,dc=server,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/dir1.server.example.com
ldap_sasl_realm = server.example.com
krb5_server = dir1.server.example.com
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = server.example.com
[nss]
[pam]
[sudo]
debug_level=5
[autofs]
[ssh]
[pac]
from the sssd_sudo.log
(Mon Aug 25 10:36:31 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408962991)))]
(Mon Aug 25 10:36:31 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*)))]
(Mon Aug 25 10:36:33 2014) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
I do not understand why it searches with "sudorule" objectclass. According to
sssd-ldap man page, ldap_sudorule_object_class should default to "sudoRole".
Jakub or Pavel, any idea?
It is a search against SSSD's local cache where the object class is
sudoRule. A correct entry for searching against LDAP server should be in the
sss_<domain>.log
--
/ Alexander Bokovoy
Jakub Hrozek
2014-08-25 12:26:49 UTC
Permalink
Post by Megan .
Below is the output from the sss_<domain>.log when i ran the sudo
command as the user. I see things about offline replies and LDAP not
working. Is this my problem or is this part of a normal series of
items that are tried?
(Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]]
[be_resolve_server_process] (0x0200): Found address for server
dir1.server.example.com: [10.10.26.148] TTL 7200
(Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]]
[child_sig_handler] (0x0100): child [17823] finished successfully.
(Mon Aug 25 11:54:46 2014) [sssd[be[server.example.com]]]
[sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]
It appears your keytab is wrong. Can you run:
kinit -k
as root on that machine?

If you prepend KRB5_TRACE you will see a lot of debugging info.
Jakub Hrozek
2014-08-25 12:11:09 UTC
Permalink
Post by Megan .
Good Morning,
I'm very new to freeIPA. I'm running centOS 6.5 with freeIPA v3
I have the freeIPA server up but i'm working on getting SUDO
configured. Currently i'm having problems getting sudo commands to
work on the client. I'm a bit unclear if i have everything configured
correctly. The only thing that I can figure out might be an issue, is
when i try the sudo command i see a filter search with
objectclass=sudoRule but when i check the ldap server it has
These two searches are unrelated. The sudoRule objectlass is what we use
internally in sssd cache. On the LDAP side, sudoRole is used.

In general, only the [domain] process works with LDAP data, all others
(nss, pam, sudo, ...) work with cached data that might look totally
different.
Post by Megan .
objectclass=sudoRole, so there are no results.
Any ideas? Thank you in advance for any advice.
Can you put debug_level into the domain section as well and increase the
debug_level of both to 7?
Post by Megan .
tuser2 is not allowed to run sudo on map1. This incident will be reported.
yum installed libsss_sudo
I added "nisdomainname dir1.server.example.com" to /etc/rc.d/rc.local
**still not sure what this is for **
Created a sudo user on ldap server
ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D "cn=Directory
Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com
**
The config file looks good to me.
Megan .
2014-08-25 12:33:51 UTC
Permalink
ok. Changed debug_level to 7. I already it in the domain section (first line).



Not sure if this makes a difference

[***@map1 pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so deny=5
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so





from sssd_sudo.log

(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [accept_fd_handler] (0x0400):
Client connected!
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_cmd_get_version]
(0x0200): Received client version [1].
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_cmd_get_version]
(0x0200): Offered version [1].
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'tuser2' matched without domain, user is tuser2
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'tuser2' matched without domain, user is tuser2
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [tuser2] from [<ALL>]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [***@server.domain.com]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [***@server.domain.com]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [tuser2] from [server.domain.com]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408969900)))]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(name=defaults)))]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
[<default options>@server.domain.com]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'tuser2' matched without domain, user is tuser2
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'tuser2' matched without domain, user is tuser2
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [tuser2] from [<ALL>]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [***@server.domain.com]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [***@server.domain.com]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [tuser2] from [server.domain.com]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408969900)))]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*)))]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
[***@server.domain.com]
(Mon Aug 25 12:31:42 2014) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!








from sssd_server.log



(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_subdomains] (0x0400): Got get subdomains [not forced][]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_subdomains] (0x0400): Cannot proceed, provider is offline.

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_subdomains] (0x1000): Request processed. Returned
1,11,Provider is offline

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_account_info] (0x0100): Got request for
[4098][1][idnumber=1079600005]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast
reply - offline

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_port_status] (0x1000): Port status of port 0 for server '(no
name)' is 'neutral'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolve_srv_send] (0x0200): The status of SRV lookup is neutral

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolve_srv_send] (0x0400): SRV resolution of service 'IPA'. Will use
DNS discovery domain 'server.domain.com'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolve_srv_cont] (0x0100): Searching for servers via SRV query
'_ldap._tcp.server.domain.com'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
'_ldap._tcp.server.domain.com'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[request_watch_destructor] (0x0400): Deleting request watch

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as
'not working'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as
'not resolved'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV
lookup meta-server), resolver returned (5)

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x1000): Trying with the next one!

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'name resolved'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_port_status] (0x1000): Port status of port 0 for server
'dir1.server.domain.com' is 'neutral'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'name resolved'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x0200): Found address for server
dir1.server.domain.com: [10.10.26.148] TTL 7200

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[ipa_resolve_callback] (0x0400): Constructed uri
'ldap://dir1.server.domain.com'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for
connecting

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://dir1.server.domain.com:389/??base] with fd [25].

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectclass=*)][].

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[namingContexts]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedControl]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedExtension]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedFeatures]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedLDAPVersion]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedSASLMechanisms]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[domainControllerFunctionality]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[defaultNamingContext]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[highestCommittedUSN]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
errmsg set

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_send] (0x0400): Attempting kinit (default,
host/map1.server.domain.com, server.domain.com, 86400)

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service IPA

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'name resolved'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'name resolved'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x0200): Found address for server
dir1.server.domain.com: [10.10.26.148] TTL 7200

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get
TGT...

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[create_tgt_req_send_buffer] (0x1000): buffer size: 72

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt
child

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[write_pipe_handler] (0x0400): All data has been sent!

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[read_pipe_handler] (0x0400): EOF received, client finished

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_tgt_recv] (0x0400): Child responded: 0
[FILE:/var/lib/sss/db/ccache_server.domain.com], expired on
[1409056143]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_cli_auth_step] (0x0100): expire timeout is 900

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_cli_auth_step] (0x1000): the connection will expire at
1408970643

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user:
host/map1.server.domain.com

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[child_sig_handler] (0x1000): Waiting for child [17983].

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[child_sig_handler] (0x0100): child [17983] finished successfully.

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_set_port_status] (0x0100): Marking port 0 of server
'dir1.server.domain.com' as 'working'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[set_server_common_status] (0x0100): Marking server
'dir1.server.domain.com' as 'working'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_groups_next_base] (0x0400): Searching for groups with base
[cn=accounts,dc=server,dc=domain,dc=com]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(gidNumber=1079600005)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=server,dc=domain,dc=com].

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[modifyTimestamp]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_run_online_cb] (0x0080): Going online. Running callbacks.

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
errmsg set

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_groups_process] (0x0400): Search for groups, returned 1
results.

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_has_deref_support] (0x0400): The server supports deref method
OpenLDAP

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_save_group] (0x0400): Processing group tuser2

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_save_group] (0x1000): Original USN value is not available for
[tuser2].

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_process_ghost_members] (0x0400): The group has 0 members

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_process_ghost_members] (0x0400): Group has 0 members

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_save_group] (0x0400): Storing info for group tuser2

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_save_grpmem] (0x1000): No members for group [tuser2]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_save_grpmem] (0x0400): Storing members for group tuser2

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at:
1408969743

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo
rules

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_port_status] (0x1000): Port status of port 389 for server
'dir1.server.domain.com' is 'not working'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_port_status] (0x0100): Reseting the status of port 389 for server
'dir1.server.domain.com'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x0200): Found address for server
dir1.server.domain.com: [10.10.26.148] TTL 7200

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_uri_callback] (0x0400): Constructed uri
'ldap://dir1.server.domain.com'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for
connecting

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://dir1.server.domain.com:389/??base] with fd [26].

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectclass=*)][].

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[namingContexts]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedControl]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedExtension]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedFeatures]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedLDAPVersion]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedSASLMechanisms]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[domainControllerFunctionality]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[defaultNamingContext]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[highestCommittedUSN]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
errmsg set

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_send] (0x0400): Attempting kinit (default,
host/dir1.server.domain.com, server.domain.com, 86400)

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service
KERBEROS

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service
'KERBEROS'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x0200): Found address for server
dir1.server.domain.com: [10.10.26.148] TTL 7200

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get
TGT...

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[create_tgt_req_send_buffer] (0x1000): buffer size: 72

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt
child

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[write_pipe_handler] (0x0400): All data has been sent!

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[read_pipe_handler] (0x0400): EOF received, client finished

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_tgt_recv] (0x0400): Child responded: 14 [Error writing to
key table], expired on [0]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [5] result [4]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_set_port_status] (0x0100): Marking port 389 of server
'dir1.server.domain.com' as 'not working'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_port_status] (0x1000): Port status of port 389 for server
'dir1.server.domain.com' is 'not working'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0020): No available servers for service
'LDAP'

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[child_sig_handler] (0x1000): Waiting for child [17984].

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[child_sig_handler] (0x0100): child [17984] finished successfully.

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_done] (0x1000): Server resolution failed: 5

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_id_op_connect_done] (0x0020): Failed to connect, going offline
(5 [Input/output error])

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_run_offline_cb] (0x0080): Going offline. Running callbacks.

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_periodical_first_refresh_done] (0x0040): Periodical full
refresh of sudo rules failed [dp_error: 1] ([11]: Resource temporarily
unavailable)

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_periodical_first_refresh_done] (0x0400): Data provider is
offline. Scheduling another full refresh in 6 minutes.

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at:
1408970103

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at:
1408969743

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo
rules

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_periodical_first_refresh_done] (0x0040): Periodical full
refresh of sudo rules failed [dp_error: 1] ([11]: Resource temporarily
unavailable)

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_periodical_first_refresh_done] (0x0400): Data provider is
offline. Scheduling another full refresh in 8 minutes.

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at:
1408970223

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[objectclass=ipaNTTrustedDomain][cn=trusts,dc=server,dc=domain,dc=com].

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaNTFlatName]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaNTTrustedDomainSID]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
errmsg set

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[objectclass=ipaIDRange][cn=ranges,cn=etc,dc=server,dc=domain,dc=com].

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSecondaryBaseRID]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaIDRangeSize]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaNTTrustedDomainSID]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
errmsg set

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sysdb_update_ranges] (0x0400): Adding range
[server.domain.com_id_range].

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sysdb_range_create] (0x0040): Invalid range, expected that either the
secondary base rid or the SID of the trusted domain is set, but not
both or none of them.

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sysdb_range_create] (0x0400): Error: 22 (Invalid argument)

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sysdb_update_ranges] (0x0040): sysdb_range_create failed.

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[ipa_subdomains_handler_ranges_done] (0x0040): sysdb_update_ranges
failed.

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[delayed_online_authentication_callback] (0x0200): Backend is online,
starting delayed online authentication.

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[remove_krb5_info_files] (0x0200): Could not remove
[/var/lib/sss/pubconf/kpasswdinfo.server.domain.com], [2][No such file
or directory]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[remove_krb5_info_files] (0x0200): Could not remove
[/var/lib/sss/pubconf/kdcinfo.server.domain.com], [2][No such file or
directory]

(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[remove_krb5_info_files] (0x0200): Could not remove
[/var/lib/sss/pubconf/kpasswdinfo.server.domain.com], [2][No such file
or directory]

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_get_account_info] (0x0100): Got request for [3][1][name=tuser2]

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[acctinfo_callback] (0x0100): Request processed. Returned 1,11,Offline

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler] (0x0100): Got request with the following data

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): command: PAM_AUTHENTICATE

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): domain: server.domain.com

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): user: tuser2

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): service: sudo

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): tty: /dev/pts/1

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): ruser: tuser2

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): rhost:

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): authtok type: 1

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): authtok size: 23

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): newauthtok type: 0

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): newauthtok size: 0

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): priv: 0

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): cli_pid: 17982

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[cc_residual_is_used] (0x1000): User [1079600005] is still active,
reusing ccache [/tmp/krb5cc_1079600005_Hfzpn4].

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[check_for_valid_tgt] (0x1000): TGT end time [1409049392].

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[check_for_valid_tgt] (0x0080): TGT is valid.

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[get_port_status] (0x1000): Port status of port 0 for server
'dir1.server.domain.com' is 'working'

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x0200): Found address for server
dir1.server.domain.com: [10.10.26.148] TTL 7200

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[ipa_resolve_callback] (0x0400): Constructed uri
'ldap://dir1.server.domain.com'

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[krb5_find_ccache_step] (0x0080): Saved ccache
FILE:/tmp/krb5cc_1079600005_Hfzpn4 if of different type than ccache in
configuration file, reusing the old ccache

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[sysdb_cache_auth] (0x0100): Hashes do match!

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (1, 9, <NULL>)
[Provider is Offline (Authentication service cannot retrieve
authentication info)]

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Sending result
[9][server.domain.com]

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Sent result [9][server.domain.com]

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler] (0x0100): Got request with the following data

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): command: PAM_ACCT_MGMT

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): domain: server.domain.com

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): user: tuser2

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): service: sudo

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): tty: /dev/pts/1

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): ruser: tuser2

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): rhost:

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): authtok type: 0

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): authtok size: 0

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): newauthtok type: 0

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): newauthtok size: 0

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): priv: 0

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): cli_pid: 17982

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[sdap_access_send] (0x0400): Performing access check for user [tuser2]

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[sdap_account_expired_rhds] (0x0400): Performing RHDS access check for
user [tuser2]

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_attrs_to_rule] (0x1000): Processing rule [allow_all]

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_user_attrs_to_rule] (0x1000): Processing users for rule
[allow_all]

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_get_category] (0x0200): Category is set to 'all'.

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_service_attrs_to_rule] (0x1000): Processing PAM services for
rule [allow_all]

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_get_category] (0x0200): Category is set to 'all'.

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule
[allow_all]

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_get_category] (0x0200): Category is set to 'all'.

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule
[allow_all]

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_eval_user_element] (0x1000): [2] groups for [tuser2]

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_eval_user_element] (0x1000): Added group [ipausers] for user
[tuser2]

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule
[allow_all]

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success)
[Success]

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Sending result
[0][server.domain.com]

(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Sent result [0][server.domain.com]
Post by Jakub Hrozek
Post by Megan .
Good Morning,
I'm very new to freeIPA. I'm running centOS 6.5 with freeIPA v3
I have the freeIPA server up but i'm working on getting SUDO
configured. Currently i'm having problems getting sudo commands to
work on the client. I'm a bit unclear if i have everything configured
correctly. The only thing that I can figure out might be an issue, is
when i try the sudo command i see a filter search with
objectclass=sudoRule but when i check the ldap server it has
These two searches are unrelated. The sudoRule objectlass is what we use
internally in sssd cache. On the LDAP side, sudoRole is used.
In general, only the [domain] process works with LDAP data, all others
(nss, pam, sudo, ...) work with cached data that might look totally
different.
Post by Megan .
objectclass=sudoRole, so there are no results.
Any ideas? Thank you in advance for any advice.
Can you put debug_level into the domain section as well and increase the
debug_level of both to 7?
Post by Megan .
tuser2 is not allowed to run sudo on map1. This incident will be reported.
yum installed libsss_sudo
I added "nisdomainname dir1.server.example.com" to /etc/rc.d/rc.local
**still not sure what this is for **
Created a sudo user on ldap server
ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D "cn=Directory
Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com
**
The config file looks good to me.
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
William Graboyes
2014-08-25 21:54:24 UTC
Permalink
Hi Megan,

I had the same problem with CENTOS 6.5 and free-ipa. I did a ton of
searching, and IIRC the conclusion was a bug in that version of sssd, I
don't remember all of the details, however I do remember the work
around.

Create a system account (in this case I called it sudo).

Create or edit the following file.

/etc/sudo-ldap.conf

## BINDDN DN
## The BINDDN parameter specifies the identity, in the form of a
Dis&#8208;
## tinguished Name (DN), to use when performing LDAP operations. If
## not specified, LDAP operations are performed with an anonymous
## identity. By default, most LDAP servers will allow anonymous
## access.
##
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=domain,dc=com

## BINDPW secret
## The BINDPW parameter specifies the password to use when performing
## LDAP operations. This is typically used in conjunction with the
## BINDDN parameter.
##
bindpw ${obfusticated}

## SSL start_tls
## If the SSL parameter is set to start_tls, the LDAP server
connec&#8208;
## tion is initiated normally and TLS encryption is begun before the
## bind credentials are sent. This has the advantage of not requiring
## a dedicated port for encrypted communications. This parameter is
## only supported by LDAP servers that honor the start_tls extension,
## such as the OpenLDAP and Tivoli Directory servers.
##
ssl start_tls

## TLS_CACERTFILE file name
## The path to a certificate authority bundle which contains the
cer&#8208;
## tificates for all the Certificate Authorities the client knows to
## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only
sup&#8208;
## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries
## use the same certificate database for CA and client certificates
## (see TLS_CERT).
##
tls_cacertfile /etc/ipa/ca.crt

## TLS_CHECKPEER on/true/yes/off/false/no
## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS
certifi&#8208;
## cated to be verified. If the server's TLS certificate cannot be
## verified (usually because it is signed by an unknown certificate
## authority), sudo will be unable to connect to it. If TLS_CHECKPEER
## is disabled, no check is made. Note that disabling the check
cre&#8208;
## ates an opportunity for man-in-the-middle attacks since the
## server's identity will not be authenticated. If possible, the CA's
## certificate should be installed locally so it can be verified.
## This option is not supported by the Tivoli Directory Server LDAP
## libraries.
tls_checkpeer yes

##
## URI ldap[s]://[hostname[:port]] ...
## Specifies a whitespace-delimited list of one or more
## URIs describing the LDAP server(s) to connect to.
##
uri ldap://freeipaserver1 ldap://freeipaserver2

##
## SUDOERS_BASE base
## The base DN to use when performing sudo LDAP queries.
## Multiple SUDOERS_BASE lines may be specified, in which
## case they are queried in the order specified.
##
sudoers_base ou=sudoers,dc=domain,dc=com

##
## BIND_TIMELIMIT seconds
## The BIND_TIMELIMIT parameter specifies the amount of
## time to wait while trying to connect to an LDAP server.
##
#bind_timelimit 30

##
## TIMELIMIT seconds
## The TIMELIMIT parameter specifies the amount of time
## to wait for a response to an LDAP query.
##
#timelimit 30

##
## SUDOERS_DEBUG debug_level
## This sets the debug level for sudo LDAP queries. Debugging
## information is printed to the standard error. A value of 1
## results in a moderate amount of debugging information.
## A value of 2 shows the results of the matches themselves.
##
sudoers_debug 0

And your nsswitch.conf change the sudoers line to:

sudoers: files ldap sss

On a side note the setting the nisdomain parameter in rc.local is a
hack at best. This should be set, on a Red Hat based system (RHEL,
CENTOS, etc), in /etc/sysconfig/network. And should look like
NISDOMAIN=your.domain.here.

The professionals may say otherwise on switching to ldap based
auth/sudo access, and I will learn something. At least this gets you
up and running until an actual solution is found. As I stated earlier,
I believe I had found a bug report on this, I am just having a hard
time finding it again.

Thanks,
Bill
Post by Megan .
ok. Changed debug_level to 7. I already it in the domain section (first line).
Not sure if this makes a difference
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so deny=5
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
from sssd_sudo.log
Client connected!
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_cmd_get_version]
(0x0200): Received client version [1].
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_cmd_get_version]
(0x0200): Offered version [1].
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'tuser2' matched without domain, user is tuser2
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'tuser2' matched without domain, user is tuser2
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [tuser2] from [<ALL>]
Retrieving default options for [tuser2] from [server.domain.com]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408969900)))]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(name=defaults)))]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'tuser2' matched without domain, user is tuser2
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'tuser2' matched without domain, user is tuser2
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [tuser2] from [<ALL>]
Retrieving rules for [tuser2] from [server.domain.com]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*))(&(dataExpireTimestamp<=1408969900)))]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=tuser2)(sudoUser=#1079600005)(sudoUser=%tuser2)(sudoUser=+*)))]
(Mon Aug 25 12:31:40 2014) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
(Mon Aug 25 12:31:42 2014) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
from sssd_server.log
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_subdomains] (0x0400): Got get subdomains [not forced][]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_subdomains] (0x0400): Cannot proceed, provider is offline.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_subdomains] (0x1000): Request processed. Returned
1,11,Provider is offline
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_account_info] (0x0100): Got request for
[4098][1][idnumber=1079600005]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast
reply - offline
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_port_status] (0x1000): Port status of port 0 for server '(no
name)' is 'neutral'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolve_srv_send] (0x0200): The status of SRV lookup is neutral
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolve_srv_send] (0x0400): SRV resolution of service 'IPA'. Will use
DNS discovery domain 'server.domain.com'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolve_srv_cont] (0x0100): Searching for servers via SRV query
'_ldap._tcp.server.domain.com'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
'_ldap._tcp.server.domain.com'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[request_watch_destructor] (0x0400): Deleting request watch
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as
'not working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as
'not resolved'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV
lookup meta-server), resolver returned (5)
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x1000): Trying with the next one!
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'name resolved'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_port_status] (0x1000): Port status of port 0 for server
'dir1.server.domain.com' is 'neutral'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'name resolved'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x0200): Found address for server
dir1.server.domain.com: [10.10.26.148] TTL 7200
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[ipa_resolve_callback] (0x0400): Constructed uri
'ldap://dir1.server.domain.com'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for
connecting
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://dir1.server.domain.com:389/??base] with fd [25].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectclass=*)][].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[namingContexts]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[supportedControl]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[supportedExtension]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[supportedFeatures]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[supportedLDAPVersion]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[supportedSASLMechanisms]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[domainControllerFunctionality]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[defaultNamingContext]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[highestCommittedUSN]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
errmsg set
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_send] (0x0400): Attempting kinit (default,
host/map1.server.domain.com, server.domain.com, 86400)
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service IPA
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'name resolved'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'name resolved'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x0200): Found address for server
dir1.server.domain.com: [10.10.26.148] TTL 7200
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get
TGT...
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[create_tgt_req_send_buffer] (0x1000): buffer size: 72
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt
child
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[write_pipe_handler] (0x0400): All data has been sent!
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[read_pipe_handler] (0x0400): EOF received, client finished
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_tgt_recv] (0x0400): Child responded: 0
[FILE:/var/lib/sss/db/ccache_server.domain.com], expired on
[1409056143]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_cli_auth_step] (0x0100): expire timeout is 900
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_cli_auth_step] (0x1000): the connection will expire at
1408970643
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
host/map1.server.domain.com
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[child_sig_handler] (0x1000): Waiting for child [17983].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[child_sig_handler] (0x0100): child [17983] finished successfully.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_set_port_status] (0x0100): Marking port 0 of server
'dir1.server.domain.com' as 'working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[set_server_common_status] (0x0100): Marking server
'dir1.server.domain.com' as 'working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_groups_next_base] (0x0400): Searching for groups with base
[cn=accounts,dc=server,dc=domain,dc=com]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(gidNumber=1079600005)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=server,dc=domain,dc=com].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[modifyTimestamp]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_run_online_cb] (0x0080): Going online. Running callbacks.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
errmsg set
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_groups_process] (0x0400): Search for groups, returned 1
results.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_has_deref_support] (0x0400): The server supports deref method
OpenLDAP
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_save_group] (0x0400): Processing group tuser2
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_save_group] (0x1000): Original USN value is not available for
[tuser2].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_process_ghost_members] (0x0400): The group has 0 members
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_process_ghost_members] (0x0400): Group has 0 members
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_save_group] (0x0400): Storing info for group tuser2
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_save_grpmem] (0x1000): No members for group [tuser2]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_save_grpmem] (0x0400): Storing members for group tuser2
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
1408969743
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo
rules
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_port_status] (0x1000): Port status of port 389 for server
'dir1.server.domain.com' is 'not working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_port_status] (0x0100): Reseting the status of port 389 for server
'dir1.server.domain.com'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x0200): Found address for server
dir1.server.domain.com: [10.10.26.148] TTL 7200
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_uri_callback] (0x0400): Constructed uri
'ldap://dir1.server.domain.com'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for
connecting
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://dir1.server.domain.com:389/??base] with fd [26].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectclass=*)][].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[namingContexts]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[supportedControl]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[supportedExtension]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[supportedFeatures]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[supportedLDAPVersion]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[supportedSASLMechanisms]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[domainControllerFunctionality]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[defaultNamingContext]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[highestCommittedUSN]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
errmsg set
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_send] (0x0400): Attempting kinit (default,
host/dir1.server.domain.com, server.domain.com, 86400)
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service
KERBEROS
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service
'KERBEROS'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x0200): Found address for server
dir1.server.domain.com: [10.10.26.148] TTL 7200
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get
TGT...
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[create_tgt_req_send_buffer] (0x1000): buffer size: 72
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt
child
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[write_pipe_handler] (0x0400): All data has been sent!
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[read_pipe_handler] (0x0400): EOF received, client finished
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_tgt_recv] (0x0400): Child responded: 14 [Error writing to
key table], expired on [0]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [5] result [4]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_set_port_status] (0x0100): Marking port 389 of server
'dir1.server.domain.com' as 'not working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_port_status] (0x1000): Port status of port 389 for server
'dir1.server.domain.com' is 'not working'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0020): No available servers for service
'LDAP'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[child_sig_handler] (0x1000): Waiting for child [17984].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[child_sig_handler] (0x0100): child [17984] finished successfully.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_done] (0x1000): Server resolution failed: 5
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_id_op_connect_done] (0x0020): Failed to connect, going offline
(5 [Input/output error])
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_periodical_first_refresh_done] (0x0040): Periodical full
refresh of sudo rules failed [dp_error: 1] ([11]: Resource temporarily
unavailable)
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_periodical_first_refresh_done] (0x0400): Data provider is
offline. Scheduling another full refresh in 6 minutes.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
1408970103
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
1408969743
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo
rules
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_periodical_first_refresh_done] (0x0040): Periodical full
refresh of sudo rules failed [dp_error: 1] ([11]: Resource temporarily
unavailable)
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_sudo_periodical_first_refresh_done] (0x0400): Data provider is
offline. Scheduling another full refresh in 8 minutes.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
1408970223
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[objectclass=ipaNTTrustedDomain][cn=trusts,dc=server,dc=domain,dc=com].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[ipaNTFlatName]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[ipaNTTrustedDomainSID]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
errmsg set
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[objectclass=ipaIDRange][cn=ranges,cn=etc,dc=server,dc=domain,dc=com].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[ipaSecondaryBaseRID]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[ipaIDRangeSize]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[ipaNTTrustedDomainSID]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
errmsg set
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sysdb_update_ranges] (0x0400): Adding range
[server.domain.com_id_range].
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sysdb_range_create] (0x0040): Invalid range, expected that either the
secondary base rid or the SID of the trusted domain is set, but not
both or none of them.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sysdb_range_create] (0x0400): Error: 22 (Invalid argument)
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[sysdb_update_ranges] (0x0040): sysdb_range_create failed.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[ipa_subdomains_handler_ranges_done] (0x0040): sysdb_update_ranges
failed.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[delayed_online_authentication_callback] (0x0200): Backend is online,
starting delayed online authentication.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[remove_krb5_info_files] (0x0200): Could not remove
[/var/lib/sss/pubconf/kpasswdinfo.server.domain.com], [2][No such file
or directory]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[remove_krb5_info_files] (0x0200): Could not remove
[/var/lib/sss/pubconf/kdcinfo.server.domain.com], [2][No such file or
directory]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[remove_krb5_info_files] (0x0200): Could not remove
[/var/lib/sss/pubconf/kpasswdinfo.server.domain.com], [2][No such file
or directory]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_get_account_info] (0x0100): Got request for [3][1][name=tuser2]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[acctinfo_callback] (0x0100): Request processed. Returned 1,11,Offline
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler] (0x0100): Got request with the following data
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): domain: server.domain.com
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): user: tuser2
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): service: sudo
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): tty: /dev/pts/1
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): ruser: tuser2
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): authtok type: 1
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): authtok size: 23
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): newauthtok type: 0
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): newauthtok size: 0
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): priv: 0
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): cli_pid: 17982
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[cc_residual_is_used] (0x1000): User [1079600005] is still active,
reusing ccache [/tmp/krb5cc_1079600005_Hfzpn4].
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[check_for_valid_tgt] (0x1000): TGT end time [1409049392].
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[check_for_valid_tgt] (0x0080): TGT is valid.
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[get_port_status] (0x1000): Port status of port 0 for server
'dir1.server.domain.com' is 'working'
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[get_server_status] (0x1000): Status of server
'dir1.server.domain.com' is 'working'
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_resolve_server_process] (0x0200): Found address for server
dir1.server.domain.com: [10.10.26.148] TTL 7200
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[ipa_resolve_callback] (0x0400): Constructed uri
'ldap://dir1.server.domain.com'
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[krb5_find_ccache_step] (0x0080): Saved ccache
FILE:/tmp/krb5cc_1079600005_Hfzpn4 if of different type than ccache in
configuration file, reusing the old ccache
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[sysdb_cache_auth] (0x0100): Hashes do match!
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (1, 9, <NULL>)
[Provider is Offline (Authentication service cannot retrieve
authentication info)]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Sending result
[9][server.domain.com]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Sent result [9][server.domain.com]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler] (0x0100): Got request with the following data
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): command: PAM_ACCT_MGMT
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): domain: server.domain.com
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): user: tuser2
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): service: sudo
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): tty: /dev/pts/1
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): ruser: tuser2
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): authtok type: 0
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): authtok size: 0
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): newauthtok type: 0
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): newauthtok size: 0
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): priv: 0
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[pam_print_data] (0x0100): cli_pid: 17982
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[sdap_access_send] (0x0400): Performing access check for user [tuser2]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[sdap_account_expired_rhds] (0x0400): Performing RHDS access check for
user [tuser2]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_attrs_to_rule] (0x1000): Processing rule [allow_all]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_user_attrs_to_rule] (0x1000): Processing users for rule
[allow_all]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_get_category] (0x0200): Category is set to 'all'.
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_service_attrs_to_rule] (0x1000): Processing PAM services for
rule [allow_all]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_get_category] (0x0200): Category is set to 'all'.
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule
[allow_all]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_get_category] (0x0200): Category is set to 'all'.
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule
[allow_all]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_eval_user_element] (0x1000): [2] groups for [tuser2]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[hbac_eval_user_element] (0x1000): Added group [ipausers] for user
[tuser2]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule
[allow_all]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success)
[Success]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Sending result
[0][server.domain.com]
(Mon Aug 25 12:29:10 2014) [sssd[be[server.domain.com]]]
[be_pam_handler_callback] (0x0100): Sent result [0][server.domain.com]
Post by Jakub Hrozek
Post by Megan .
Good Morning,
I'm very new to freeIPA. I'm running centOS 6.5 with freeIPA v3
I have the freeIPA server up but i'm working on getting SUDO
configured. Currently i'm having problems getting sudo commands to
work on the client. I'm a bit unclear if i have everything configured
correctly. The only thing that I can figure out might be an issue, is
when i try the sudo command i see a filter search with
objectclass=sudoRule but when i check the ldap server it has
These two searches are unrelated. The sudoRule objectlass is what we use
internally in sssd cache. On the LDAP side, sudoRole is used.
In general, only the [domain] process works with LDAP data, all others
(nss, pam, sudo, ...) work with cached data that might look totally
different.
Post by Megan .
objectclass=sudoRole, so there are no results.
Any ideas? Thank you in advance for any advice.
Can you put debug_level into the domain section as well and increase the
debug_level of both to 7?
Post by Megan .
tuser2 is not allowed to run sudo on map1. This incident will be reported.
yum installed libsss_sudo
I added "nisdomainname dir1.server.example.com" to /etc/rc.d/rc.local
**still not sure what this is for **
Created a sudo user on ldap server
ldappasswd -x -S -W -h dir1.server.example.com -ZZ -D "cn=Directory
Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=server,dc=example,dc=com
**
The config file looks good to me.
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Lukas Slebodnik
2014-08-26 06:37:35 UTC
Permalink
Post by William Graboyes
Hi Megan,
I had the same problem with CENTOS 6.5 and free-ipa. I did a ton of
searching, and IIRC the conclusion was a bug in that version of sssd, I
don't remember all of the details, however I do remember the work
around.
Create a system account (in this case I called it sudo).
Create or edit the following file.
/etc/sudo-ldap.conf
You are using different program for downloading sudo rules from LDAP server.

I don't want to say that configuring sudo with with IPA server on CentOS 6.5
is easy, but it is possible.

LS
Jakub Hrozek
2014-08-26 06:42:09 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Megan,
I had the same problem with CENTOS 6.5 and free-ipa.
Megan had a different problem. We were able to get to the root cause in an off-list discussion, the ldap_sasl_authid parameter was set up wrongly.
Lukas Slebodnik
2014-08-26 06:34:51 UTC
Permalink
Post by Megan .
ok. Changed debug_level to 7. I already it in the domain section (first line).
Not sure if this makes a difference
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so deny=5
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
from sssd_server.log
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_subdomains] (0x0400): Got get subdomains [not forced][]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_subdomains] (0x0400): Cannot proceed, provider is offline.
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_subdomains] (0x1000): Request processed. Returned
1,11,Provider is offline
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_account_info] (0x0100): Got request for
[4098][1][idnumber=1079600005]
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast
reply - offline
SSSD was in offline mode, sudo rules were not downloaded yet.
This is a reason why sudo doesn't work for you.
Post by Megan .
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[get_port_status] (0x1000): Port status of port 0 for server '(no
name)' is 'neutral'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolve_srv_send] (0x0200): The status of SRV lookup is neutral
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolve_srv_send] (0x0400): SRV resolution of service 'IPA'. Will use
DNS discovery domain 'server.domain.com'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolve_srv_cont] (0x0100): Searching for servers via SRV query
'_ldap._tcp.server.domain.com'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
'_ldap._tcp.server.domain.com'
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[request_watch_destructor] (0x0400): Deleting request watch
(Mon Aug 25 12:29:03 2014) [sssd[be[server.domain.com]]]
[resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
SSSD was not able reo resolv SRV records.
There are two explanations:
a) you did not install ipa server wit dns (ipaserver-install --setup-dns)
b) you don't have ip addres of IPA server in /etc/resolv.conf

If you fix this problem, sudo should work.

You can test resolving SRV records from command line
dig SRV _ldap._tcp.server.domain.com

LS
Continue reading on narkive:
Loading...