Thanks everyone for help, for centos65 latest, I really need to do these steps:
yum install ipa-client libsss_sudo ipa-client-install ... modify: /etc/sssd/sssd.conf (ldap setup based on man) /etc/nsswitch.conf (sss provider for sudoers based on man) and set nisdomainname than sudo starts to work. One last thing is that latest CentOS65 64b ipa client and openssh is not fully compatible, during client registration it said "Installed openssh does not support dynamically loading authorized user keys" so no access via key is possible, but if you add "AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys" to sshd config it's ok, so probably some bad detection of openssh version. Vasek
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project