Hi Pavel,

sdainard-admin is a Windows domain user, part of an external group
'ad_admins_external' which is a member of 'ad_admins', an ipa posix group.

'admins' groups is the built-in ipa admin group.

ipa group-show admins
  Group name: admins
  Description: Account administrators group
  GID: 1768200000
  Member users: admin
  Member groups: ad_admins
  Member of Sudo rule: ad_admins
  Indirect Member groups: ad_admins_external

ipa group-show ad_admins
  Group name: ad_admins
  Description: miovision.corp admins
  GID: 1768200004
  Member users: admin
  Member groups: ad_admins_external
  Member of groups: admins
  Member of Sudo rule: ad_admins, All

Thanks,

*Steve Dainard *
IT Infrastructure Manager
Miovision <http://miovision.com/> | *Rethink Traffic*

*Blog <http://miovision.com/blog>  |  **LinkedIn
<https://www.linkedin.com/company/miovision-technologies>  |  Twitter
<https://twitter.com/miovision>  |  Facebook
<https://www.facebook.com/miovision>*
------------------------------
 Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.


On Wed, Feb 19, 2014 at 8:48 AM, Pavel Březina <pbrez...@redhat.com> wrote:

> On 02/18/2014 10:32 PM, Steve Dainard wrote:
>
>> Hi Pavel,
>>
>> Very interesting, my IPA group membership in ad_admins isn't shown by
>> that command on first run (new login)
>>
>> sdainard-ad...@miovision.corp@ubu1310:~$ id sdainard-admin
>> uid=799002462(sdainard-ad...@miovision.corp)
>> gid=799002462(sdainard-ad...@miovision.corp)
>> groups=799002462(sdainard-ad...@miovision.corp),
>> 799001380(accounting-share-acc...@miovision.corp),
>> 799001417(protected-share-acc...@miovision.corp),799000519(enterprise
>> adm...@miovision.corp),799001416(hr-share-access@
>> miovision.corp),799000512(domain
>> adm...@miovision.corp),799000513(domain
>> us...@miovision.corp),799002464(it -
>> adm...@miovision.corp),799002469(kloperat...@miovision.corp),799002468(
>> kladm...@miovision.corp)
>>
>> sdainard-ad...@miovision.corp@ubu1310:~$ sudo su
>> [sudo] password for sdainard-ad...@miovision.corp:
>> sdainard-ad...@miovision.corp is not allowed to run sudo on ubu1310.
>>   This incident will be reported.
>>
>> But after attempting the sudo command my groups do contain the IPA
>> groups admins,ad_admins:
>>
>> sdainard-ad...@miovision.corp@ubu1310:~$ id sdainard-admin
>> uid=799002462(sdainard-ad...@miovision.corp)
>> gid=799002462(sdainard-ad...@miovision.corp)
>> groups=799002462(sdainard-ad...@miovision.corp),
>> 799001380(accounting-share-acc...@miovision.corp),
>> 799001417(protected-share-acc...@miovision.corp),799000519(enterprise
>> adm...@miovision.corp),799001416(hr-share-access@
>> miovision.corp),799000512(domain
>> adm...@miovision.corp),799000513(domain
>> us...@miovision.corp),799002464(it -
>> adm...@miovision.corp),799002469(kloperat...@miovision.corp),799002468(
>> kladm...@miovision.corp),*1768200000(admins),1768200004(ad_admins)*
>>
>>
>> sdainard-ad...@miovision.corp@ubu1310:~$ sudo su
>> [sudo] password for sdainard-ad...@miovision.corp:
>> root@ubu1310:/home/miovision.corp/sdainard-admin#
>>
>>
>> Sudo rule (I had to create this, apparently its a default rule, but
>> didn't exist in my install on RHEL7 beta):
>>    Rule name: All
>>    Enabled: TRUE
>>    Host category: all
>>    Command category: all
>>    RunAs User category: all
>>    RunAs Group category: all
>>    User Groups: ad_admins
>>
>
> Can you tell me more information about admins and ad_admins groups and
> sdainard-admin? I would like to know how the membership is configured and
> what is their relation to AD. Dump of ipa user-show and ipa group-show
> should be enough, I think.
>
>
>> I saw the new dns update option (and refresh timers!), thanks.
>>
>> *Steve Dainard *
>> IT Infrastructure Manager
>> Miovision <http://miovision.com/> | /Rethink Traffic/
>>
>> *Blog <http://miovision.com/blog>  | **LinkedIn
>> <https://www.linkedin.com/company/miovision-technologies>  | Twitter
>> <https://twitter.com/miovision>  | Facebook
>> <https://www.facebook.com/miovision>*
>> ------------------------------------------------------------------------
>> Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener,
>> ON, Canada | N2C 1L3
>> This e-mail may contain information that is privileged or confidential.
>> If you are not the intended recipient, please delete the e-mail and any
>> attachments and notify us immediately.
>>
>>
>> On Tue, Feb 18, 2014 at 5:27 AM, Pavel Březina <pbrez...@redhat.com
>> <mailto:pbrez...@redhat.com>> wrote:
>>
>>     On 02/17/2014 10:29 PM, Steve Dainard wrote:
>>
>>         I can't reproduce consistently on any OS including Fedora 20,
>>         but I was
>>         able to trigger the issue on a Ubuntu 13.10 client.
>>
>>         sssd: 1.11.1
>>
>>         sudo: 1.8.6p3-0ubuntu3
>>
>>         I have only just enabled the sudo logging so it should only
>>         contain the
>>         events below:
>>
>>         sdainard-ad...@miovision.corp@__ubu1310:~$ sudo su
>>
>>         [sudo] password for sdainard-ad...@miovision.corp:
>>         sdainard-ad...@miovision.corp is not allowed to run sudo on
>> ubu1310.
>>            This incident will be reported.
>>         sdainard-ad...@miovision.corp@__ubu1310:~$ sudo su
>>         [sudo] password for sdainard-ad...@miovision.corp:
>>         root@ubu1310:/home/miovision.__corp/sdainard-admin#
>>
>>
>>         Files attached outside of list.
>>
>>
>>     Hi,
>>     thank you for the logs. Can you also send me output of command "id
>>     sdainard-admin" (also check if group membership is correct) and
>>     definition of the sudo rule please?
>>
>>     Also you may want to fix the following (unrelated) warning:
>>     Deprecation warning: The option ipa_dyndns_update is deprecated and
>>     should not be used in favor of dyndns_update
>>
>>
>>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to