[Freeipa-users] Sudo denied on first attempt, allowed on second attempt

Mon Mar 3 19:01:52 UTC 2014

Hi Jakub, id info from earlier response:

>         Very interesting, my IPA group membership in ad_admins isn't
>         shown by
>         that command on first run (new login)
>
>         sdainard-admin at miovision.corp@__ubu1310:~$ id sdainard-admin
>         uid=799002462(sdainard-admin at __miovision.corp)
>         gid=799002462(sdainard-admin at __miovision.corp)
>         groups=799002462(sdainard-__admin at miovision.corp),__
799001380(accounting-share-__access at miovision.corp),__
799001417(protected-share-__access at miovision.corp),__799000519(enterprise
>         admins at miovision.corp),__799001416(hr-share-access at __
miovision.corp),799000512(__domain
>         admins at miovision.corp),__799000513(domain
>         users at miovision.corp),__799002464(it -
>         admins at miovision.corp),__799002469(kloperators at __
miovision.corp),799002468(__kladmins at miovision.corp)
>
>         sdainard-admin at miovision.corp@__ubu1310:~$ sudo su
>         [sudo] password for sdainard-admin at miovision.corp:
>         sdainard-admin at miovision.corp is not allowed to run sudo on
ubu1310.
>            This incident will be reported.
>
>         But after attempting the sudo command my groups do contain the IPA
>         groups admins,ad_admins:
>
>         sdainard-admin at miovision.corp@__ubu1310:~$ id sdainard-admin
>         uid=799002462(sdainard-admin at __miovision.corp)
>         gid=799002462(sdainard-admin at __miovision.corp)
>         groups=799002462(sdainard-__admin at miovision.corp),__
799001380(accounting-share-__access at miovision.corp),__
799001417(protected-share-__access at miovision.corp),__799000519(enterprise
>         admins at miovision.corp),__799001416(hr-share-access at __
miovision.corp),799000512(__domain
>         admins at miovision.corp),__799000513(domain
>         users at miovision.corp),__799002464(it -
>         admins at miovision.corp),__799002469(kloperators at __
miovision.corp),799002468(__kladmins at miovision.corp),*__
1768200000(admins),1768200004(__ad_admins)*
>

*Steve Dainard *
IT Infrastructure Manager
Miovision <http://miovision.com/> | *Rethink Traffic*

*Blog <http://miovision.com/blog>  |  **LinkedIn
<https://www.linkedin.com/company/miovision-technologies>  |  Twitter
<https://twitter.com/miovision>  |  Facebook
<https://www.facebook.com/miovision>*
------------------------------
 Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.

On Mon, Feb 24, 2014 at 10:55 AM, Jakub Hrozek <jhrozek at redhat.com> wrote:

> On Mon, Feb 24, 2014 at 10:46:19AM -0500, Pavel Brezina wrote:
> > Hi,
> > I wasn't able to reproduce with membership setup exactly like this. I
> > have already seen similar problem once, unfortunately the user stopped
> > responding before we could reach the root cause. I think it is correct
> > from the sudo point of view, what is problematic here is missing group
> > membership.
> >
> > It seems that membership of trusted user is not resolved correctly.
> > Sumit, Jakub, do you have any ideas?
>
> Did you verify if "id" prints the expected groups for the user in question
> after he logs in? I think we need to first verify if the memberships are
> stored correctly to the cache..
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140303/5bfeabab/attachment.htm>