[Freeipa-users] Sudo denied on first attempt, allowed on second attempt

[Jakub Hrozek]

On Mon, Mar 03, 2014 at 02:01:52PM -0500, Steve Dainard wrote:
> Hi Jakub, id info from earlier response:
> 
> >         Very interesting, my IPA group membership in ad_admins isn't
> >         shown by
> >         that command on first run (new login)
> >
> >         sdainard-admin at miovision.corp@__ubu1310:~$ id sdainard-admin
> >         uid=799002462(sdainard-admin at __miovision.corp)
> >         gid=799002462(sdainard-admin at __miovision.corp)
> >         groups=799002462(sdainard-__admin at miovision.corp),__
> 799001380(accounting-share-__access at miovision.corp),__
> 799001417(protected-share-__access at miovision.corp),__799000519(enterprise
> >         admins at miovision.corp),__799001416(hr-share-access at __
> miovision.corp),799000512(__domain
> >         admins at miovision.corp),__799000513(domain
> >         users at miovision.corp),__799002464(it -
> >         admins at miovision.corp),__799002469(kloperators at __
> miovision.corp),799002468(__kladmins at miovision.corp)
> >
> >         sdainard-admin at miovision.corp@__ubu1310:~$ sudo su
> >         [sudo] password for sdainard-admin at miovision.corp:
> >         sdainard-admin at miovision.corp is not allowed to run sudo on
> ubu1310.
> >            This incident will be reported.
> >
> >         But after attempting the sudo command my groups do contain the IPA
> >         groups admins,ad_admins:
> >
> >         sdainard-admin at miovision.corp@__ubu1310:~$ id sdainard-admin
> >         uid=799002462(sdainard-admin at __miovision.corp)
> >         gid=799002462(sdainard-admin at __miovision.corp)
> >         groups=799002462(sdainard-__admin at miovision.corp),__
> 799001380(accounting-share-__access at miovision.corp),__
> 799001417(protected-share-__access at miovision.corp),__799000519(enterprise
> >         admins at miovision.corp),__799001416(hr-share-access at __
> miovision.corp),799000512(__domain
> >         admins at miovision.corp),__799000513(domain
> >         users at miovision.corp),__799002464(it -
> >         admins at miovision.corp),__799002469(kloperators at __
> miovision.corp),799002468(__kladmins at miovision.corp),*__
> 1768200000(admins),1768200004(__ad_admins)*
> >

Interesting, I would have thought that both sudo and id after login
yield the same information. Can you send the SSSD logs? Feel free to
send them privately.