[Freeipa-users] Sudo denied on first attempt, allowed on second attempt

Wed Feb 19 13:48:33 UTC 2014

On 02/18/2014 10:32 PM, Steve Dainard wrote:
> Hi Pavel,
>
> Very interesting, my IPA group membership in ad_admins isn't shown by
> that command on first run (new login)
>
> sdainard-admin at miovision.corp@ubu1310:~$ id sdainard-admin
> uid=799002462(sdainard-admin at miovision.corp)
> gid=799002462(sdainard-admin at miovision.corp)
> groups=799002462(sdainard-admin at miovision.corp),799001380(accounting-share-access at miovision.corp),799001417(protected-share-access at miovision.corp),799000519(enterprise
> admins at miovision.corp),799001416(hr-share-access at miovision.corp),799000512(domain
> admins at miovision.corp),799000513(domain
> users at miovision.corp),799002464(it -
> admins at miovision.corp),799002469(kloperators at miovision.corp),799002468(kladmins at miovision.corp)
>
> sdainard-admin at miovision.corp@ubu1310:~$ sudo su
> [sudo] password for sdainard-admin at miovision.corp:
> sdainard-admin at miovision.corp is not allowed to run sudo on ubu1310.
>   This incident will be reported.
>
> But after attempting the sudo command my groups do contain the IPA
> groups admins,ad_admins:
>
> sdainard-admin at miovision.corp@ubu1310:~$ id sdainard-admin
> uid=799002462(sdainard-admin at miovision.corp)
> gid=799002462(sdainard-admin at miovision.corp)
> groups=799002462(sdainard-admin at miovision.corp),799001380(accounting-share-access at miovision.corp),799001417(protected-share-access at miovision.corp),799000519(enterprise
> admins at miovision.corp),799001416(hr-share-access at miovision.corp),799000512(domain
> admins at miovision.corp),799000513(domain
> users at miovision.corp),799002464(it -
> admins at miovision.corp),799002469(kloperators at miovision.corp),799002468(kladmins at miovision.corp),*1768200000(admins),1768200004(ad_admins)*
>
> sdainard-admin at miovision.corp@ubu1310:~$ sudo su
> [sudo] password for sdainard-admin at miovision.corp:
> root at ubu1310:/home/miovision.corp/sdainard-admin#
>
>
> Sudo rule (I had to create this, apparently its a default rule, but
> didn't exist in my install on RHEL7 beta):
>    Rule name: All
>    Enabled: TRUE
>    Host category: all
>    Command category: all
>    RunAs User category: all
>    RunAs Group category: all
>    User Groups: ad_admins

Can you tell me more information about admins and ad_admins groups and 
sdainard-admin? I would like to know how the membership is configured 
and what is their relation to AD. Dump of ipa user-show and ipa 
group-show should be enough, I think.

>
> I saw the new dns update option (and refresh timers!), thanks.
>
> *Steve Dainard *
> IT Infrastructure Manager
> Miovision <http://miovision.com/> | /Rethink Traffic/
>
> *Blog <http://miovision.com/blog>  | **LinkedIn
> <https://www.linkedin.com/company/miovision-technologies>  | Twitter
> <https://twitter.com/miovision>  | Facebook
> <https://www.facebook.com/miovision>*
> ------------------------------------------------------------------------
> Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener,
> ON, Canada | N2C 1L3
> This e-mail may contain information that is privileged or confidential.
> If you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
>
>
> On Tue, Feb 18, 2014 at 5:27 AM, Pavel Březina <pbrezina at redhat.com
> <mailto:pbrezina at redhat.com>> wrote:
>
>     On 02/17/2014 10:29 PM, Steve Dainard wrote:
>
>         I can't reproduce consistently on any OS including Fedora 20,
>         but I was
>         able to trigger the issue on a Ubuntu 13.10 client.
>
>         sssd: 1.11.1
>
>         sudo: 1.8.6p3-0ubuntu3
>
>         I have only just enabled the sudo logging so it should only
>         contain the
>         events below:
>
>         sdainard-admin at miovision.corp@__ubu1310:~$ sudo su
>         [sudo] password for sdainard-admin at miovision.corp:
>         sdainard-admin at miovision.corp is not allowed to run sudo on ubu1310.
>            This incident will be reported.
>         sdainard-admin at miovision.corp@__ubu1310:~$ sudo su
>         [sudo] password for sdainard-admin at miovision.corp:
>         root at ubu1310:/home/miovision.__corp/sdainard-admin#
>
>         Files attached outside of list.
>
>
>     Hi,
>     thank you for the logs. Can you also send me output of command "id
>     sdainard-admin" (also check if group membership is correct) and
>     definition of the sudo rule please?
>
>     Also you may want to fix the following (unrelated) warning:
>     Deprecation warning: The option ipa_dyndns_update is deprecated and
>     should not be used in favor of dyndns_update
>
>