hi i have centos 6.7 (ipa server) and i have centos 6.5 (client) i can not sudo on client i add rule sudo on ipa i config file sss.conf +++++++
[domain/l.infotechpsp.net] debug_level = 6 #cache_credentials = True #krb5_store_password_if_offline = True ipa_domain = l.infotechpsp.net id_provider = ipa #auth_provider = ipa #access_provider = ipa #ipa_hostname = switchlive.l.infotechpsp.net #chpass_provider = ipa ipa_server = _srv_, ipasrv.l.infotechpsp.net ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri =ldap://ipasrv.l.infotechpsp.net ldap_sudo_search_base = ou=sudoers,dc=l,dc=infotechpsp,dc=net ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ussd7rep.l.infotechpsp.net ldap_sasl_realm = L.INFOTECHPSP.NET krb5_server = ipasrv.l.infotechpsp.net [sssd] config_file_version = 2 # Number of times services should attempt to reconnect in the # event of a crash or restart before they give up reconnection_retries = 3 # If a back end is particularly slow you can raise this timeout here sbus_timeout = 30 services = nss, pam, ssh, sudo domains = l.infotechpsp.net [nss] [pam] +++++++ in file nsswitch.conf add sudoers: files sss and log file /var/log/sss/sss_l..... +++++ (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] [be_resolve_server_process] (0x0200): Found address for server ipasrv.l.infotechpsp.net: [10.30.160.19] TTL 1200 (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ ccache_L.INFOTECHPSP.NET], expired on [1443085132] (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Wed Sep 23 12:28:52 2015) [sssd[be[l.infotechpsp.net]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/ ussd7rep.l.infotechpsp.net (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [child_sig_handler] (0x0100): child [12755] finished successfully. (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [fo_set_port_status] (0x0100): Marking port 389 of server ' ipasrv.l.infotechpsp.net' as 'working' (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [set_server_common_status] (0x0100): Marking server ' ipasrv.l.infotechpsp.net' as 'working' (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [ou=sudoers,dc=l,dc=infotechpsp,dc=net] (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(&(objectclass=sudoRole)(entryUSN>=128274)(!(entryUSN=128274)))(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost= ussd7rep.l.infotechpsp.net )(sudoHost=ussd7rep)(sudoHost=10.30.110.11)(sudoHost= 10.30.110.0/24)(sudoHost=fe80::250:56ff:feaf:3ca6)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))][ou=sudoers,dc=l,dc=infotechpsp,dc=net ]. (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [ou=sudoers,dc=l,dc=infotechpsp,dc=net] (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [sdap_sudo_load_sudoers_done] (0x0400): Received 0 rules (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [sdap_sudo_load_sudoers_done] (0x0400): Sudoers is successfuly stored in cache (Wed Sep 23 12:28:53 2015) [sssd[be[l.infotechpsp.net]]] [sdap_sudo_smart_refresh_done] (0x0400): Successful smart refresh of sudo rules +++++
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
