[Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?
Lukas Slebodnik
lslebodn at redhat.com
Thu Jul 14 10:21:38 UTC 2016
On (14/07/16 11:26), Tomas Simecek wrote:
>Hi Lukas,
>we have Active Directory group "UnixAdmins"
>.
>We have IPA external group ad_admins_external
><https://svlxxipap.linuxdomain.cz/ipa/ui/#ad_admins_external>, which has
>Windows "UnixAdmins" group as a member.
>We have local IPA group grpunixadmins
><https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>, which has
>ad_admins_external group as a member.
>So from that perspective user simecek.tomas at sd-stc.cz is a member of
>grpunixadmins <https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>.
>That setup works for ssh logins and for sudo on Centos 7.0.
>
If user is member of group in IPA it does not mean that
it's properly propagated to client :-)
I can see few errors in log
>(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
>[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
>object](32)[ldb_wait: No such object (32)]
>(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
>[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
>(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
>[sysdb_update_members_ex] (0x0020): Could not add member [
>simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz
>,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.
>(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
>[ipa_s2n_save_objects] (0x2000): Updating memberships for
>simecek.tomas at sd-stc.cz
>(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
>[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
>object](32)[ldb_wait: No such object (32)]
>(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
>[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
>(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
>[sysdb_update_members_ex] (0x0020): Could not add member [
>simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz
>,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.
Please test with id simecek.tomas at sd-stc.cz.
I'm preatty sure that you will not see a group grpunixadmins.
BTW according to domain logs it looks like a bug with extop plugin
on freeipa server. I assume that ipa server is on CentOS 7.0
because you mention it works on Centos 7.0.
I would strongly recommend to upgrade server to 7.2
LS
More information about the Freeipa-users
mailing list