[Freeipa-users] Sudo denied on first attempt, allowed on second attempt

Pavel Brezina pbrezina at redhat.com
Mon Feb 24 15:46:19 UTC 2014 

Hi,
I wasn't able to reproduce with membership setup exactly like this. I 
have already seen similar problem once, unfortunately the user stopped 
responding before we could reach the root cause. I think it is correct 
from the sudo point of view, what is problematic here is missing group 
membership.

It seems that membership of trusted user is not resolved correctly. 
Sumit, Jakub, do you have any ideas?

On 02/19/2014 03:27 PM, Steve Dainard wrote:
> Hi Pavel,
>
> sdainard-admin is a Windows domain user, part of an external group
> 'ad_admins_external' which is a member of 'ad_admins', an ipa posix group.
>
> 'admins' groups is the built-in ipa admin group.
>
> ipa group-show admins
>    Group name: admins
>    Description: Account administrators group
>    GID: 1768200000
>    Member users: admin
>    Member groups: ad_admins
>    Member of Sudo rule: ad_admins
>    Indirect Member groups: ad_admins_external
>
> ipa group-show ad_admins
>    Group name: ad_admins
>    Description: miovision.corp admins
>    GID: 1768200004
>    Member users: admin
>    Member groups: ad_admins_external
>    Member of groups: admins
>    Member of Sudo rule: ad_admins, All
>
> Thanks,
>
> *Steve Dainard *
> IT Infrastructure Manager
> Miovision <http://miovision.com/> | /Rethink Traffic/
>
> *Blog <http://miovision.com/blog>  | **LinkedIn
> <https://www.linkedin.com/company/miovision-technologies>  | Twitter
> <https://twitter.com/miovision>  | Facebook
> <https://www.facebook.com/miovision>*
> ------------------------------------------------------------------------
> Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener,
> ON, Canada | N2C 1L3
> This e-mail may contain information that is privileged or confidential.
> If you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
>
>
> On Wed, Feb 19, 2014 at 8:48 AM, Pavel Březina <pbrezina at redhat.com
> <mailto:pbrezina at redhat.com>> wrote:
>
>     On 02/18/2014 10:32 PM, Steve Dainard wrote:
>
>         Hi Pavel,
>
>         Very interesting, my IPA group membership in ad_admins isn't
>         shown by
>         that command on first run (new login)
>
>         sdainard-admin at miovision.corp@__ubu1310:~$ id sdainard-admin
>         uid=799002462(sdainard-admin at __miovision.corp)
>         gid=799002462(sdainard-admin at __miovision.corp)
>         groups=799002462(sdainard-__admin at miovision.corp),__799001380(accounting-share-__access at miovision.corp),__799001417(protected-share-__access at miovision.corp),__799000519(enterprise
>         admins at miovision.corp),__799001416(hr-share-access at __miovision.corp),799000512(__domain
>         admins at miovision.corp),__799000513(domain
>         users at miovision.corp),__799002464(it -
>         admins at miovision.corp),__799002469(kloperators at __miovision.corp),799002468(__kladmins at miovision.corp)
>
>         sdainard-admin at miovision.corp@__ubu1310:~$ sudo su
>         [sudo] password for sdainard-admin at miovision.corp:
>         sdainard-admin at miovision.corp is not allowed to run sudo on ubu1310.
>            This incident will be reported.
>
>         But after attempting the sudo command my groups do contain the IPA
>         groups admins,ad_admins:
>
>         sdainard-admin at miovision.corp@__ubu1310:~$ id sdainard-admin
>         uid=799002462(sdainard-admin at __miovision.corp)
>         gid=799002462(sdainard-admin at __miovision.corp)
>         groups=799002462(sdainard-__admin at miovision.corp),__799001380(accounting-share-__access at miovision.corp),__799001417(protected-share-__access at miovision.corp),__799000519(enterprise
>         admins at miovision.corp),__799001416(hr-share-access at __miovision.corp),799000512(__domain
>         admins at miovision.corp),__799000513(domain
>         users at miovision.corp),__799002464(it -
>         admins at miovision.corp),__799002469(kloperators at __miovision.corp),799002468(__kladmins at miovision.corp),*__1768200000(admins),1768200004(__ad_admins)*
>
>
>         sdainard-admin at miovision.corp@__ubu1310:~$ sudo su
>         [sudo] password for sdainard-admin at miovision.corp:
>         root at ubu1310:/home/miovision.__corp/sdainard-admin#
>
>
>         Sudo rule (I had to create this, apparently its a default rule, but
>         didn't exist in my install on RHEL7 beta):
>             Rule name: All
>             Enabled: TRUE
>             Host category: all
>             Command category: all
>             RunAs User category: all
>             RunAs Group category: all
>             User Groups: ad_admins
>
>
>     Can you tell me more information about admins and ad_admins groups
>     and sdainard-admin? I would like to know how the membership is
>     configured and what is their relation to AD. Dump of ipa user-show
>     and ipa group-show should be enough, I think.
>
>
>         I saw the new dns update option (and refresh timers!), thanks.
>
>         *Steve Dainard *
>         IT Infrastructure Manager
>         Miovision <http://miovision.com/> | /Rethink Traffic/
>
>         *Blog <http://miovision.com/blog>  | **LinkedIn
>         <https://www.linkedin.com/__company/miovision-technologies
>         <https://www.linkedin.com/company/miovision-technologies>__>  |
>         Twitter
>         <https://twitter.com/miovision__>  | Facebook
>         <https://www.facebook.com/__miovision
>         <https://www.facebook.com/miovision>>*
>         ------------------------------__------------------------------__------------
>         Miovision Technologies Inc. | 148 Manitou Drive, Suite 101,
>         Kitchener,
>         ON, Canada | N2C 1L3
>         This e-mail may contain information that is privileged or
>         confidential.
>         If you are not the intended recipient, please delete the e-mail
>         and any
>         attachments and notify us immediately.
>
>
>         On Tue, Feb 18, 2014 at 5:27 AM, Pavel Březina
>         <pbrezina at redhat.com <mailto:pbrezina at redhat.com>
>         <mailto:pbrezina at redhat.com <mailto:pbrezina at redhat.com>>> wrote:
>
>              On 02/17/2014 10:29 PM, Steve Dainard wrote:
>
>                  I can't reproduce consistently on any OS including
>         Fedora 20,
>                  but I was
>                  able to trigger the issue on a Ubuntu 13.10 client.
>
>                  sssd: 1.11.1
>
>                  sudo: 1.8.6p3-0ubuntu3
>
>                  I have only just enabled the sudo logging so it should only
>                  contain the
>                  events below:
>
>                  sdainard-admin at miovision.corp@____ubu1310:~$ sudo su
>
>                  [sudo] password for sdainard-admin at miovision.corp:
>                  sdainard-admin at miovision.corp is not allowed to run
>         sudo on ubu1310.
>                     This incident will be reported.
>                  sdainard-admin at miovision.corp@____ubu1310:~$ sudo su
>                  [sudo] password for sdainard-admin at miovision.corp:
>                  root at ubu1310:/home/miovision.____corp/sdainard-admin#
>
>
>                  Files attached outside of list.
>
>
>              Hi,
>              thank you for the logs. Can you also send me output of
>         command "id
>              sdainard-admin" (also check if group membership is correct) and
>              definition of the sudo rule please?
>
>              Also you may want to fix the following (unrelated) warning:
>              Deprecation warning: The option ipa_dyndns_update is
>         deprecated and
>              should not be used in favor of dyndns_update
>
>
>
>

More information about the Freeipa-users mailing list