Hi Jakub, I increased the log level in every SSSD section to 6 and got following output, hope that helps.
KRB5_CHILD.LOG: https://s.mit42.de/IR6tu SSSD_SUDO.LOG (two tries are logged in it): https://s.mit42.de/WF1Jl SSSD_IPA-LX.COM: https://s.mit42.de/frBvx Best regards, Fabian -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von Jakub Hrozek Gesendet: Mittwoch, 7. Oktober 2015 10:03 An: [email protected] Betreff: Re: [Freeipa-users] SUDO does not always works on first try On Mon, Oct 05, 2015 at 01:25:09PM +0000, Zoske, Fabian wrote: > Dear Jakub, > > I found only the following entries in the /var/log/auth.log: > > Oct 5 11:57:38 hl-srv10 sudo: pam_unix(sudo:auth): conversation > failed Oct 5 11:57:38 hl-srv10 sudo: pam_unix(sudo:auth): auth could > not identify password for [[email protected]] Oct 5 11:57:38 > hl-srv10 sudo: pam_sss(sudo:auth): authentication failure; > [email protected] uid=1948403038 euid=0 tty=/dev/pts/1 > [email protected] rhost= [email protected] Oct 5 > 11:57:38 hl-srv10 sudo: pam_sss(sudo:auth): received for user > [email protected]: 7 (Authentication failure) Oct 5 11:57:38 > hl-srv10 sudo: [email protected] : user NOT authorized on host ; > TTY=pts/1 ; PWD=/home/de.eu.local/f.zoske ; USER=root ; > COMMAND=/bin/cat /etc/sssd/sssd.conf Oct 5 11:57:42 hl-srv10 sudo: > pam_unix(sudo:auth): authentication failure; > [email protected] uid=1948403038 euid=0 tty=/dev/pts/1 > [email protected] rhost= [email protected] Oct 5 > 11:57:42 hl-srv10 sudo: pam_sss(sudo:auth): authentication success; > [email protected] uid=1948403038 euid=0 tty=/dev/pts/1 > [email protected] rhost= [email protected] Oct 5 > 11:57:43 hl-srv10 sudo: [email protected] : user NOT authorized on > host ; TTY=pts/1 ; PWD=/home/de.eu.local/f.zoske ; USER=root ; > COMMAND=/bin/bash Oct 5 11:57:46 hl-srv10 sudo: pam_unix(sudo:auth): > authentication failure; [email protected] uid=1948403038 > euid=0 tty=/dev/pts/1 [email protected] rhost= > [email protected] Oct 5 11:57:47 hl-srv10 sudo: > pam_sss(sudo:auth): authentication success; > [email protected] uid=1948403038 euid=0 tty=/dev/pts/1 > [email protected] rhost= [email protected] Oct 5 > 11:57:47 hl-srv10 sudo: [email protected] : TTY=pts/1 ; > PWD=/home/de.eu.local/f.zoske ; USER=root ; COMMAND=/bin/bash Oct 5 > 11:57:47 hl-srv10 sudo: pam_unix(sudo:session): session opened for > user root by > [email protected](uid=0)<mailto:[email protected](uid=0)> > > In /var/log/sssd/ no entries were logged. Nothing gets logged in by default, you need to increase debug_level, see: https://fedorahosted.org/sssd/wiki/Troubleshooting I would look into the domain log and krb5_child.log first > > My sssd.conf: > [domain/ipa-lx.com] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = ipa-lx.com > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = hl-srv10.ipa-lx.com > chpass_provider = ipa > ipa_server = _srv_, dc01.ipa-lx.com > ldap_tls_cacert = /etc/ipa/ca.crt > ldap_sudo_use_host_filter = false > > [sssd] > services = nss, pam, ssh, sudo > config_file_version = 2 > default_domain_suffix = de.eu.local > domains = ei-ag.it > > [nss] > override_shell = /bin/bash > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > > Best regards, > Fabian > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
