[Freeipa-users] Sudo denied on first attempt, allowed on second attempt
Steve Dainard
sdainard at miovision.com
Tue Feb 18 21:32:01 UTC 2014
Hi Pavel,
Very interesting, my IPA group membership in ad_admins isn't shown by that
command on first run (new login)
sdainard-admin at miovision.corp@ubu1310:~$ id sdainard-admin
uid=799002462(sdainard-admin at miovision.corp)
gid=799002462(sdainard-admin at miovision.corp)
groups=799002462(sdainard-admin at miovision.corp
),799001380(accounting-share-access at miovision.corp
),799001417(protected-share-access at miovision.corp),799000519(enterprise
admins at miovision.corp),799001416(hr-share-access at miovision.corp),799000512(domain
admins at miovision.corp),799000513(domain users at miovision.corp),799002464(it
- admins at miovision.corp),799002469(kloperators at miovision.corp
),799002468(kladmins at miovision.corp)
sdainard-admin at miovision.corp@ubu1310:~$ sudo su
[sudo] password for sdainard-admin at miovision.corp:
sdainard-admin at miovision.corp is not allowed to run sudo on ubu1310. This
incident will be reported.
But after attempting the sudo command my groups do contain the IPA groups
admins,ad_admins:
sdainard-admin at miovision.corp@ubu1310:~$ id sdainard-admin
uid=799002462(sdainard-admin at miovision.corp)
gid=799002462(sdainard-admin at miovision.corp)
groups=799002462(sdainard-admin at miovision.corp
),799001380(accounting-share-access at miovision.corp
),799001417(protected-share-access at miovision.corp),799000519(enterprise
admins at miovision.corp),799001416(hr-share-access at miovision.corp),799000512(domain
admins at miovision.corp),799000513(domain users at miovision.corp),799002464(it
- admins at miovision.corp),799002469(kloperators at miovision.corp
),799002468(kladmins at miovision.corp),
*1768200000(admins),1768200004(ad_admins)*
sdainard-admin at miovision.corp@ubu1310:~$ sudo su
[sudo] password for sdainard-admin at miovision.corp:
root at ubu1310:/home/miovision.corp/sdainard-admin#
Sudo rule (I had to create this, apparently its a default rule, but didn't
exist in my install on RHEL7 beta):
Rule name: All
Enabled: TRUE
Host category: all
Command category: all
RunAs User category: all
RunAs Group category: all
User Groups: ad_admins
I saw the new dns update option (and refresh timers!), thanks.
*Steve Dainard *
IT Infrastructure Manager
Miovision <http://miovision.com/> | *Rethink Traffic*
*Blog <http://miovision.com/blog> | **LinkedIn
<https://www.linkedin.com/company/miovision-technologies> | Twitter
<https://twitter.com/miovision> | Facebook
<https://www.facebook.com/miovision>*
------------------------------
Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.
On Tue, Feb 18, 2014 at 5:27 AM, Pavel Březina <pbrezina at redhat.com> wrote:
> On 02/17/2014 10:29 PM, Steve Dainard wrote:
>
>> I can't reproduce consistently on any OS including Fedora 20, but I was
>> able to trigger the issue on a Ubuntu 13.10 client.
>>
>> sssd: 1.11.1
>>
>> sudo: 1.8.6p3-0ubuntu3
>>
>> I have only just enabled the sudo logging so it should only contain the
>> events below:
>>
>> sdainard-admin at miovision.corp@ubu1310:~$ sudo su
>> [sudo] password for sdainard-admin at miovision.corp:
>> sdainard-admin at miovision.corp is not allowed to run sudo on ubu1310.
>> This incident will be reported.
>> sdainard-admin at miovision.corp@ubu1310:~$ sudo su
>> [sudo] password for sdainard-admin at miovision.corp:
>> root at ubu1310:/home/miovision.corp/sdainard-admin#
>>
>> Files attached outside of list.
>>
>
> Hi,
> thank you for the logs. Can you also send me output of command "id
> sdainard-admin" (also check if group membership is correct) and definition
> of the sudo rule please?
>
> Also you may want to fix the following (unrelated) warning:
> Deprecation warning: The option ipa_dyndns_update is deprecated and should
> not be used in favor of dyndns_update
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140218/47564eff/attachment.htm>
More information about the Freeipa-users
mailing list