[Freeipa-users] Sudo denied on first attempt, allowed on second attempt
Steve Dainard
sdainard at miovision.com
Mon Mar 3 22:35:48 UTC 2014
Sumit,
Unfortunately 1.11.1 is the only version available for Ubuntu 13.10.
I've also had the same problem with an updated version of Fedora 20, so I
don't think its specific to this package version.
*Steve Dainard *
IT Infrastructure Manager
Miovision <http://miovision.com/> | *Rethink Traffic*
*Blog <http://miovision.com/blog> | **LinkedIn
<https://www.linkedin.com/company/miovision-technologies> | Twitter
<https://twitter.com/miovision> | Facebook
<https://www.facebook.com/miovision>*
------------------------------
Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.
On Mon, Mar 3, 2014 at 2:01 PM, Steve Dainard <sdainard at miovision.com>wrote:
> Hi Jakub, id info from earlier response:
>
> > Very interesting, my IPA group membership in ad_admins isn't
> > shown by
> > that command on first run (new login)
> >
> > sdainard-admin at miovision.corp@__ubu1310:~$ id sdainard-admin
> > uid=799002462(sdainard-admin at __miovision.corp)
> > gid=799002462(sdainard-admin at __miovision.corp)
> > groups=799002462(sdainard-__admin at miovision.corp),__
> 799001380(accounting-share-__access at miovision.corp),__
> 799001417(protected-share-__access at miovision.corp),__799000519(enterprise
> > admins at miovision.corp),__799001416(hr-share-access at __
> miovision.corp),799000512(__domain
> > admins at miovision.corp),__799000513(domain
> > users at miovision.corp),__799002464(it -
> > admins at miovision.corp),__799002469(kloperators at __
> miovision.corp),799002468(__kladmins at miovision.corp)
> >
> > sdainard-admin at miovision.corp@__ubu1310:~$ sudo su
> > [sudo] password for sdainard-admin at miovision.corp:
> > sdainard-admin at miovision.corp is not allowed to run sudo on
> ubu1310.
> > This incident will be reported.
> >
> > But after attempting the sudo command my groups do contain the
> IPA
> > groups admins,ad_admins:
> >
> > sdainard-admin at miovision.corp@__ubu1310:~$ id sdainard-admin
> > uid=799002462(sdainard-admin at __miovision.corp)
> > gid=799002462(sdainard-admin at __miovision.corp)
> > groups=799002462(sdainard-__admin at miovision.corp),__
> 799001380(accounting-share-__access at miovision.corp),__
> 799001417(protected-share-__access at miovision.corp),__799000519(enterprise
> > admins at miovision.corp),__799001416(hr-share-access at __
> miovision.corp),799000512(__domain
> > admins at miovision.corp),__799000513(domain
> > users at miovision.corp),__799002464(it -
> > admins at miovision.corp),__799002469(kloperators at __
> miovision.corp),799002468(__kladmins at miovision.corp),*__
> 1768200000(admins),1768200004(__ad_admins)*
> >
>
> *Steve Dainard *
> IT Infrastructure Manager
> Miovision <http://miovision.com/> | *Rethink Traffic*
>
> *Blog <http://miovision.com/blog> | **LinkedIn
> <https://www.linkedin.com/company/miovision-technologies> | Twitter
> <https://twitter.com/miovision> | Facebook
> <https://www.facebook.com/miovision>*
> ------------------------------
> Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener,
> ON, Canada | N2C 1L3
> This e-mail may contain information that is privileged or confidential. If
> you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
>
>
> On Mon, Feb 24, 2014 at 10:55 AM, Jakub Hrozek <jhrozek at redhat.com> wrote:
>
>> On Mon, Feb 24, 2014 at 10:46:19AM -0500, Pavel Brezina wrote:
>> > Hi,
>> > I wasn't able to reproduce with membership setup exactly like this. I
>> > have already seen similar problem once, unfortunately the user stopped
>> > responding before we could reach the root cause. I think it is correct
>> > from the sudo point of view, what is problematic here is missing group
>> > membership.
>> >
>> > It seems that membership of trusted user is not resolved correctly.
>> > Sumit, Jakub, do you have any ideas?
>>
>> Did you verify if "id" prints the expected groups for the user in question
>> after he logs in? I think we need to first verify if the memberships are
>> stored correctly to the cache..
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140303/aa88cc07/attachment.htm>
More information about the Freeipa-users
mailing list