[Freeipa-users] Sudo denied on first attempt, allowed on second attempt

Steve Dainard sdainard at miovision.com
Mon Feb 17 21:29:12 UTC 2014 

I can't reproduce consistently on any OS including Fedora 20, but I was
able to trigger the issue on a Ubuntu 13.10 client.

sssd: 1.11.1

sudo: 1.8.6p3-0ubuntu3

I have only just enabled the sudo logging so it should only contain the
events below:

sdainard-admin at miovision.corp@ubu1310:~$ sudo su
[sudo] password for sdainard-admin at miovision.corp:
sdainard-admin at miovision.corp is not allowed to run sudo on ubu1310.  This
incident will be reported.
sdainard-admin at miovision.corp@ubu1310:~$ sudo su
[sudo] password for sdainard-admin at miovision.corp:
root at ubu1310:/home/miovision.corp/sdainard-admin#

Files attached outside of list.

Thanks,

*Steve Dainard *
IT Infrastructure Manager
Miovision <http://miovision.com/> | *Rethink Traffic*

*Blog <http://miovision.com/blog>  |  **LinkedIn
<https://www.linkedin.com/company/miovision-technologies>  |  Twitter
<https://twitter.com/miovision>  |  Facebook
<https://www.facebook.com/miovision>*
------------------------------
 Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.


On Mon, Feb 17, 2014 at 3:46 AM, Pavel Březina <pbrezina at redhat.com> wrote:

> On 02/16/2014 01:19 AM, Steve Dainard wrote:
>
>> Just experienced the same issue on Fedora 20:
>>
>> [sdainard-admin at miovision.corp@fed20 ~]$ sudo systemctl stop firewalld
>> [sudo] password for sdainard-admin at miovision.corp:
>> sdainard-admin at miovision.corp is not allowed to run sudo on fed20.  This
>> incident will be reported.
>> [sdainard-admin at miovision.corp@fed20 ~]$ sudo systemctl stop firewalld
>> [sudo] password for sdainard-admin at miovision.corp:
>> [sdainard-admin at miovision.corp@fed20 ~]$
>>
>> Sat Feb 15 19:10:30 2014 is the 2nd attempt in the logs (attached).
>>
>> /var/log/messages:
>> Feb 15 19:10:31 fed20 systemd: Stopping firewalld - dynamic firewall
>> daemon...
>> Feb 15 19:10:31 fed20 systemd: Stopped firewalld - dynamic firewall
>> daemon.
>>
>>
>>
>> *Steve Dainard *
>> IT Infrastructure Manager
>> Miovision <http://miovision.com/> | /Rethink Traffic/
>>
>> *Blog <http://miovision.com/blog>  | **LinkedIn
>> <https://www.linkedin.com/company/miovision-technologies>  | Twitter
>> <https://twitter.com/miovision>  | Facebook
>> <https://www.facebook.com/miovision>*
>> ------------------------------------------------------------------------
>>
>> Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener,
>> ON, Canada | N2C 1L3
>> This e-mail may contain information that is privileged or confidential.
>> If you are not the intended recipient, please delete the e-mail and any
>> attachments and notify us immediately.
>>
>>
>> On Fri, Feb 14, 2014 at 4:33 PM, Steve Dainard <sdainard at miovision.com
>> <mailto:sdainard at miovision.com>> wrote:
>>
>>     On a Ubuntu 13.10 client after configuring sssd to provide sudo
>>     service I left the client idle for a few hours. On returning, I
>>     unlocked the screensaver and did the following:
>>
>>     sdainard-admin at miovision.corp@ubu1310:~$ sudo su
>>     [sudo] password for sdainard-admin at miovision.corp:
>>     sdainard-admin at miovision.corp is not allowed to run sudo on ubu1310.
>>       This incident will be reported.
>>     sdainard-admin at miovision.corp@ubu1310:~$ sudo su
>>     [sudo] password for sdainard-admin at miovision.corp:
>>     root at ubu1310:/home/miovision.corp/sdainard-admin#
>>
>>     I haven't experienced this on a Fedora 20 or EL client so I'm
>>     guessing this is something specific to Ubuntu.
>>
>>     I've attached the client sssd log if anyone can point me in the
>>     right direction.
>>
>>     Thanks,
>>
>>
>>     *Steve Dainard *
>>     IT Infrastructure Manager
>>     Miovision <http://miovision.com/> | /Rethink Traffic/
>>
>>     *Blog <http://miovision.com/blog>  | **LinkedIn
>>     <https://www.linkedin.com/company/miovision-technologies>  | Twitter
>>     <https://twitter.com/miovision>  | Facebook
>>     <https://www.facebook.com/miovision>*
>>     ------------------------------------------------------------
>> ------------
>>
>>     Miovision Technologies Inc. | 148 Manitou Drive, Suite 101,
>>     Kitchener, ON, Canada | N2C 1L3
>>     This e-mail may contain information that is privileged or
>>     confidential. If you are not the intended recipient, please delete
>>     the e-mail and any attachments and notify us immediately.
>>
>
> Hi,
> provided logs did not reveal anything bad. Can you also attach
> sssd_sudo.log, sssd_nss.log and sssd.conf please? Also what sssd and sudo
> version do you run?
>
> Is this always reproducible or it happens only sporadically?
>
> Thanks.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140217/febf4717/attachment.htm>

More information about the Freeipa-users mailing list