English Finnish
[0 - offline_timeout_random_offset]
1. <emphasis>Index LDAP attributes</emphasis>. Make sure that following LDAP attributes are indexed: objectClass, cn, entryUSN or modifyTimestamp.
1. If the shell is present in <quote>/etc/shells</quote>, it is used.
1. I have KRB5CCNAME environment variable set and the authentication does not work: Depending on your sudo version, it is possible that sudo does not pass this variable to the PAM environment. Try adding KRB5CCNAME to <option>env_keep</option> in /etc/sudoers or in your LDAP sudo rules default options.
1. The following example shows a typical SSSD config. It does not describe configuration of the domains themselves - refer to documentation on configuring domains for more details. <placeholder type="programlisting" id="0"/>
2. Authentication does not work and syslog contains "Server not found in Kerberos database": Kerberos is probably not able to resolve correct realm for the service ticket based on the hostname. Try adding the hostname directly to <option>[domain_realm]</option> in /etc/krb5.conf like so:
2. <emphasis>Set ldap_sudo_search_base</emphasis>. Set the search base to the container that holds the sudo rules to limit the scope of the lookup.
2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</quote>, use the value of the shell_fallback parameter.
2. The following example shows configuration of IPA AD trust where the AD forest consists of two domains in a parent-child structure. Suppose IPA domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain (child.ad.com). To enable shortnames in the child domain the following configuration should be used. <placeholder type="programlisting" id="0"/>
3. Authentication does not work and syslog contains "No Kerberos credentials available": You don't have any credentials that can be used to obtain the required service ticket. Use kinit or authenticate over SSSD to acquire those credentials.
3. <emphasis>Set full and smart refresh interval</emphasis>. If your sudo rules do not change often and you do not require quick update of cached rules on your clients, you may consider increasing the <emphasis>ldap_sudo_full_refresh_interval</emphasis> and <emphasis>ldap_sudo_smart_refresh_interval</emphasis>. You may also consider disabling the smart refresh by setting <emphasis>ldap_sudo_smart_refresh_interval = 0</emphasis>.
3. If the shell is not in the allowed_shells list and not in <quote>/etc/shells</quote>, a nologin shell is used.
3. The following example shows the configuration for two certificate mapping rules. The first is valid for the configured domain <quote>my.domain</quote> and additionally for the subdomains <quote>your.domain</quote> and uses the full certificate in the search filter. The second example is valid for the domain <quote>files</quote> where it is assumed the files provider is used for this domain and contains a matching rule for the local user <quote>myname</quote>. <placeholder type="programlisting" id="0"/>
4. Authentication does not work and SSSD sssd-pam log contains "User with UPN [$UPN] was not found." or "UPN [$UPN] does not match target user [$username].": You are using credentials that can not be mapped to the user that is being authenticated. Try to use kswitch to select different principal, make sure you authenticated with SSSD or consider disabling <option>pam_gssapi_check_upn</option>.
4. If you have large number of clients, you may consider increasing the value of <emphasis>ldap_sudo_random_offset</emphasis> to distribute the load on the server better.