Cory,
Thanks for the update and link. And a big thanks to everyone else for their
time looking at this. I also was able to install the referenced .deb and
now sudo works as expected.
Jeff
On Tue, Aug 30, 2016 at 12:46 PM, Cory Francis Myers <
c...@trinitymobilenetworks.com> wrote:
> Pavel Břez
Pavel Březina | Tue, 30 Aug 2016 02:59:55 -0700:
> unfortunately sudo 1.8.16 introduced a bug in sssd plugin. 1.8.16
> contains a new option called netgroup_tuple, which tells whether a
> full netgroup tuply is check or only the host/user part in host/user
> check. However, the patch didn't make th
Pavel Březina | Tue, 30 Aug 2016 02:59:55 -0700:
> unfortunately sudo 1.8.16 introduced a bug in sssd plugin. 1.8.16
> contains a new option called netgroup_tuple, which tells whether a
> full netgroup tuply is check or only the host/user part in host/user
> check. However, the patch didn't make th
On 08/26/2016 02:15 PM, Jeff Goddard wrote:
Pavel,
I appreciate that you're busy and thank you for taking time to look at
this. Here is the output:
[root@id-management-1 ~]# ipa sudorule-show
Rule name: all
Rule name: All
Description: Full sudo access for Developer group in office environ
Pavel,
I appreciate that you're busy and thank you for taking time to look at
this. Here is the output:
[root@id-management-1 ~]# ipa sudorule-show
Rule name: all
Rule name: All
Description: Full sudo access for Developer group in office environment
Enabled: TRUE
Command category: all
R
On 08/25/2016 08:01 PM, Jeff Goddard wrote:
I'm still hoping someone can offer additional help. I see in the apt
term.log these errors when downloading the freeipa-client package. Could
this be the problem?
Hi,
I'm sorry, I somehow overlooked this thread. Can you provide output of
ipa sudorule
We are seeing the same problem (correct group membership; matching HBAC
rules retrieved by sssd and rejected by sudo) on a new Ubuntu 16.04
client joining a realm of existing (and working) Ubuntu 15.10 hosts,
despite identical "/etc/sssd/sssd.conf" files.
Master:
root@hades:~# cat /etc/lsb-re
I'm still hoping someone can offer additional help. I see in the apt
term.log these errors when downloading the freeipa-client package. Could
this be the problem?
Creating SSSD system user & group...
adduser: Warning: The home directory `/var/lib/sss' does not belong to the
user you are currently
Just some additional information, this is a default install however as a
modification after running the ipa-client-install executable I followed
these instructions so that users get an automatically-created home
directory:
https://debian-administration.org/article/403/Giving_users_a_home_director
Hi Pavel, can you help us with this thread?
> On 12 Aug 2016, at 21:57, Jeff Goddard wrote:
>
>
>
> On Fri, Aug 12, 2016 at 3:53 PM, Justin Stephenson
> wrote:
> In the CentOS/RHEL 7 version of sssd, a NIS netgroup is created automatically
> in the IPA compat tree under 'cn=ng,cn=compat,$su
On Fri, Aug 12, 2016 at 3:53 PM, Justin Stephenson
wrote:
> In the CentOS/RHEL 7 version of sssd, a NIS netgroup is created
> automatically in the IPA compat tree under 'cn=ng,cn=compat,$suffix'
> because sudo has no understanding of hostgroups.
>
> You should be able to query this on a client wi
In the CentOS/RHEL 7 version of sssd, a NIS netgroup is created
automatically in the IPA compat tree under 'cn=ng,cn=compat,$suffix'
because sudo has no understanding of hostgroups.
You should be able to query this on a client with
# getent netgroup office
This should return nisNetgroup
I made the edit as suggested - removing nis and just leaving sss -
restarted sssd and then re-tried. I also tried with files sss. Still
getting the same result.
Thanks,
Jeff
On Fri, Aug 12, 2016 at 2:27 PM, Justin Stephenson
wrote:
> This looks suspicious
>
> *Aug 12 08:45:00 sudo[31732] val[0
This looks suspicious
/Aug 12 08:45:00 sudo[31732] val[0]=+office//
//Aug 12 08:45:00 sudo[31732] -> addr_matches @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:195//
//Aug 12 08:45:00 sudo[31732] -> addr_matches_if @
/build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/ma
The rule is defined that all members of the developer group have sudo
access to all commands available on the machines in the office group.
Jeff
On Fri, Aug 12, 2016 at 9:58 AM, Jakub Hrozek wrote:
> On Fri, Aug 12, 2016 at 08:53:53AM -0400, Jeff Goddard wrote:
> > Jakub,
> >
> > Here is the lo
On Fri, Aug 12, 2016 at 08:53:53AM -0400, Jeff Goddard wrote:
> Jakub,
>
> Here is the log file output:
How is the sudorule defined?
> Aug 12 08:45:00 sudo[31732] user_in_group: user jgoddard NOT in group admin
> Aug 12 08:45:00 sudo[31732] <- user_in_group @
> /build/sudo-L2mAoN/sudo-1.8.16/plu
On Fri, Aug 12, 2016 at 08:31:52AM -0400, Jeff Goddard wrote:
> Jakub,
>
> I apologize for my ignorance, can you give me the syntax for that? In the
> file I created I only added the statement "debug_level=9". Adding a
> "log_file=/var/log/sudo.log" statement does not produce a file. Googling
> fo
Jakub,
I apologize for my ignorance, can you give me the syntax for that? In the
file I created I only added the statement "debug_level=9". Adding a
"log_file=/var/log/sudo.log" statement does not produce a file. Googling
for syntax returns a bunch of results for the sudoers file. Also of note,
di
On Thu, Aug 11, 2016 at 05:02:49PM -0400, Jeff Goddard wrote:
> Manually creating the file and then restarting the service and performing
So according to this:
> (Thu Aug 11 16:58:29 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> Returning info for user [jgodd...@internal.emerlyn.com]
> (Thu A
Hello,
Could you increase the debug level to 9, restart sssd + clear the cache
and reproduce the problem then provide the sssd_.log as well as
the sssd_sudo.log ?
Also you may want to rule out HBAC issues with the below command:
# ipa hbactest --user 'jgoddard' --host $(hostname) --ser
Here is relevant configuration files:
*nsswitch.conf:*
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow:files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc:
Jeff Goddard wrote:
I've looked though these but not found anything helpful. It appears as
though my previous statement about the 1 group being found was
misleading as the sssd.$mydomain.com.log file reports that no sudo rules
are found. Does this mean that the LDAP tree being searched is differe
I've looked though these but not found anything helpful. It appears as
though my previous statement about the 1 group being found was misleading
as the sssd.$mydomain.com.log file reports that no sudo rules are found.
Does this mean that the LDAP tree being searched is different on ubuntu vs
centos
Jeff Goddard wrote:
Sean,
Thanks for the reply. I don't think that's my problem but I'm posting a
redacted copy of the sssd.conf file for review below.
I'd start here: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
rob
--
Manage your subscription for the Freeipa-users mailing lis
ny
> centos 7.2 clients. I also have a sudo rule that allows member of
>
> From: Jeff Goddard
> To: freeipa-users@redhat.com
> Date: 08/10/2016 10:52 AM
> Subject: [Freeipa-users] sudo rules question on ubuntu 16.0.1
> Sent by: freeipa-users-boun...@redhat.com
> -
/2016 10:52 AM
Subject:[Freeipa-users] sudo rules question on ubuntu 16.0.1
Sent by:freeipa-users-boun...@redhat.com
I've got a freeipa domain and many centos 7.2 clients. I also have a sudo
rule that allows member of the developer group sudo rights on virtual
servers i
I've got a freeipa domain and many centos 7.2 clients. I also have a sudo
rule that allows member of the developer group sudo rights on virtual
servers in the "development" group. This works great on the centos servers.
However, I recently set up 3 ubuntu boxes, and added them to the IPA domain
and
27 matches
Mail list logo