Thanks Lukas, to be honest I am not sure what do you mean by "Please test with id simecek.to...@sd-stc.cz." It is the user I am testing with all the time.
Here is what I see on client where sudo does not work: [simecek.to...@sd-stc.cz@zp-cml-test ~]$ id uid=988604700(simecek.to...@sd-stc.cz) gid=988604700(simecek.to...@sd-stc.cz) groups=988604700(simecek.to...@sd-stc.cz),431200004(grpunixadmins),988600513(domain us...@sd-stc.cz),988604182(acco...@sd-stc.cz),988604754(mfcr_...@sd-stc.cz ),988604825(unixadm...@sd-stc.cz),988604833(wifiadm...@sd-stc.cz) You can see Centos 6.6 client knows about all the groups assigned to the users, incl. AD groups (unixadmins), which seems funny to me. You are right, IPA server is Centos 7.0 and functional client is Centos 7.0 as well. Both login and sudo work on client with Centos 7.0. Rules on IPA server are set to work on both clients, but work only on 7.0. If I run update on server, it would update ipa-server from v. 4.2.0-15.0.1.el7.centos.6.1 to v. 4.2.0-15.0.1.el7.centos.17. Does it make sense now? Thanks T. 2016-07-14 12:21 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>: > On (14/07/16 11:26), Tomas Simecek wrote: > >Hi Lukas, > >we have Active Directory group "UnixAdmins" > >. > >We have IPA external group ad_admins_external > ><https://svlxxipap.linuxdomain.cz/ipa/ui/#ad_admins_external>, which has > >Windows "UnixAdmins" group as a member. > >We have local IPA group grpunixadmins > ><https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>, which has > >ad_admins_external group as a member. > >So from that perspective user simecek.to...@sd-stc.cz is a member of > >grpunixadmins <https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>. > >That setup works for ssh logins and for sudo on Centos 7.0. > > > If user is member of group in IPA it does not mean that > it's properly propagated to client :-) > > I can see few errors in log > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > >object](32)[ldb_wait: No such object (32)] > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[sysdb_update_members_ex] (0x0020): Could not add member [ > >simecek.to...@sd-stc.cz] to group [name=simecek.to...@sd-stc.cz > >,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[ipa_s2n_save_objects] (0x2000): Updating memberships for > >simecek.to...@sd-stc.cz > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > >object](32)[ldb_wait: No such object (32)] > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[sysdb_update_members_ex] (0x0020): Could not add member [ > >simecek.to...@sd-stc.cz] to group [name=simecek.to...@sd-stc.cz > >,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. > > Please test with id simecek.to...@sd-stc.cz. > I'm preatty sure that you will not see a group grpunixadmins. > > BTW according to domain logs it looks like a bug with extop plugin > on freeipa server. I assume that ipa server is on CentOS 7.0 > because you mention it works on Centos 7.0. > > I would strongly recommend to upgrade server to 7.2 > > LS >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
