Hi,
I wasn't able to reproduce with membership setup exactly like this. I 
have already seen similar problem once, unfortunately the user stopped 
responding before we could reach the root cause. I think it is correct 
from the sudo point of view, what is problematic here is missing group 
membership.

It seems that membership of trusted user is not resolved correctly. 
Sumit, Jakub, do you have any ideas?

On 02/19/2014 03:27 PM, Steve Dainard wrote:
> Hi Pavel,
>
> sdainard-admin is a Windows domain user, part of an external group
> 'ad_admins_external' which is a member of 'ad_admins', an ipa posix group.
>
> 'admins' groups is the built-in ipa admin group.
>
> ipa group-show admins
>    Group name: admins
>    Description: Account administrators group
>    GID: 1768200000
>    Member users: admin
>    Member groups: ad_admins
>    Member of Sudo rule: ad_admins
>    Indirect Member groups: ad_admins_external
>
> ipa group-show ad_admins
>    Group name: ad_admins
>    Description: miovision.corp admins
>    GID: 1768200004
>    Member users: admin
>    Member groups: ad_admins_external
>    Member of groups: admins
>    Member of Sudo rule: ad_admins, All
>
> Thanks,
>
> *Steve Dainard *
> IT Infrastructure Manager
> Miovision <http://miovision.com/> | /Rethink Traffic/
>
> *Blog <http://miovision.com/blog>  | **LinkedIn
> <https://www.linkedin.com/company/miovision-technologies>  | Twitter
> <https://twitter.com/miovision>  | Facebook
> <https://www.facebook.com/miovision>*
> ------------------------------------------------------------------------
> Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener,
> ON, Canada | N2C 1L3
> This e-mail may contain information that is privileged or confidential.
> If you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
>
>
> On Wed, Feb 19, 2014 at 8:48 AM, Pavel Březina <pbrez...@redhat.com
> <mailto:pbrez...@redhat.com>> wrote:
>
>     On 02/18/2014 10:32 PM, Steve Dainard wrote:
>
>         Hi Pavel,
>
>         Very interesting, my IPA group membership in ad_admins isn't
>         shown by
>         that command on first run (new login)
>
>         sdainard-ad...@miovision.corp@__ubu1310:~$ id sdainard-admin
>         uid=799002462(sdainard-admin@__miovision.corp)
>         gid=799002462(sdainard-admin@__miovision.corp)
>         
> groups=799002462(sdainard-__ad...@miovision.corp),__799001380(accounting-share-__acc...@miovision.corp),__799001417(protected-share-__acc...@miovision.corp),__799000519(enterprise
>         
> adm...@miovision.corp),__799001416(hr-share-access@__miovision.corp),799000512(__domain
>         adm...@miovision.corp),__799000513(domain
>         us...@miovision.corp),__799002464(it -
>         
> adm...@miovision.corp),__799002469(kloperators@__miovision.corp),799002468(__kladm...@miovision.corp)
>
>         sdainard-ad...@miovision.corp@__ubu1310:~$ sudo su
>         [sudo] password for sdainard-ad...@miovision.corp:
>         sdainard-ad...@miovision.corp is not allowed to run sudo on ubu1310.
>            This incident will be reported.
>
>         But after attempting the sudo command my groups do contain the IPA
>         groups admins,ad_admins:
>
>         sdainard-ad...@miovision.corp@__ubu1310:~$ id sdainard-admin
>         uid=799002462(sdainard-admin@__miovision.corp)
>         gid=799002462(sdainard-admin@__miovision.corp)
>         
> groups=799002462(sdainard-__ad...@miovision.corp),__799001380(accounting-share-__acc...@miovision.corp),__799001417(protected-share-__acc...@miovision.corp),__799000519(enterprise
>         
> adm...@miovision.corp),__799001416(hr-share-access@__miovision.corp),799000512(__domain
>         adm...@miovision.corp),__799000513(domain
>         us...@miovision.corp),__799002464(it -
>         
> adm...@miovision.corp),__799002469(kloperators@__miovision.corp),799002468(__kladm...@miovision.corp),*__1768200000(admins),1768200004(__ad_admins)*
>
>
>         sdainard-ad...@miovision.corp@__ubu1310:~$ sudo su
>         [sudo] password for sdainard-ad...@miovision.corp:
>         root@ubu1310:/home/miovision.__corp/sdainard-admin#
>
>
>         Sudo rule (I had to create this, apparently its a default rule, but
>         didn't exist in my install on RHEL7 beta):
>             Rule name: All
>             Enabled: TRUE
>             Host category: all
>             Command category: all
>             RunAs User category: all
>             RunAs Group category: all
>             User Groups: ad_admins
>
>
>     Can you tell me more information about admins and ad_admins groups
>     and sdainard-admin? I would like to know how the membership is
>     configured and what is their relation to AD. Dump of ipa user-show
>     and ipa group-show should be enough, I think.
>
>
>         I saw the new dns update option (and refresh timers!), thanks.
>
>         *Steve Dainard *
>         IT Infrastructure Manager
>         Miovision <http://miovision.com/> | /Rethink Traffic/
>
>         *Blog <http://miovision.com/blog>  | **LinkedIn
>         <https://www.linkedin.com/__company/miovision-technologies
>         <https://www.linkedin.com/company/miovision-technologies>__>  |
>         Twitter
>         <https://twitter.com/miovision__>  | Facebook
>         <https://www.facebook.com/__miovision
>         <https://www.facebook.com/miovision>>*
>         
> ------------------------------__------------------------------__------------
>         Miovision Technologies Inc. | 148 Manitou Drive, Suite 101,
>         Kitchener,
>         ON, Canada | N2C 1L3
>         This e-mail may contain information that is privileged or
>         confidential.
>         If you are not the intended recipient, please delete the e-mail
>         and any
>         attachments and notify us immediately.
>
>
>         On Tue, Feb 18, 2014 at 5:27 AM, Pavel Březina
>         <pbrez...@redhat.com <mailto:pbrez...@redhat.com>
>         <mailto:pbrez...@redhat.com <mailto:pbrez...@redhat.com>>> wrote:
>
>              On 02/17/2014 10:29 PM, Steve Dainard wrote:
>
>                  I can't reproduce consistently on any OS including
>         Fedora 20,
>                  but I was
>                  able to trigger the issue on a Ubuntu 13.10 client.
>
>                  sssd: 1.11.1
>
>                  sudo: 1.8.6p3-0ubuntu3
>
>                  I have only just enabled the sudo logging so it should only
>                  contain the
>                  events below:
>
>                  sdainard-ad...@miovision.corp@____ubu1310:~$ sudo su
>
>                  [sudo] password for sdainard-ad...@miovision.corp:
>                  sdainard-ad...@miovision.corp is not allowed to run
>         sudo on ubu1310.
>                     This incident will be reported.
>                  sdainard-ad...@miovision.corp@____ubu1310:~$ sudo su
>                  [sudo] password for sdainard-ad...@miovision.corp:
>                  root@ubu1310:/home/miovision.____corp/sdainard-admin#
>
>
>                  Files attached outside of list.
>
>
>              Hi,
>              thank you for the logs. Can you also send me output of
>         command "id
>              sdainard-admin" (also check if group membership is correct) and
>              definition of the sudo rule please?
>
>              Also you may want to fix the following (unrelated) warning:
>              Deprecation warning: The option ipa_dyndns_update is
>         deprecated and
>              should not be used in favor of dyndns_update
>
>
>
>


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to