Re: [Freeipa-users] Is there any delay after applied rules to user?
On Fri, Jul 31, 2015 at 09:19:30AM +0700, Dewangga Bachrul Alam wrote: > Hello! > > Sorry for making you confused. > > The main problem is the cache on ipa server/client. How long the cache > remain active and refresh with correct policy/rules. See man sssd-sudo for explanation of the sudo lookups. > > Whenever I set the sudo rules, modify another configuration (policy, > etc), it's always have delay. The best would be to run one such example with logs to see what queries did exactly sssd run and to also rule out sssd going offline later in the process. > > And until now, the global_policy still didn't use correct configuration. > It's still using min 0, max 0 configuration (I set this policy > yesterday, and was revert it back to min 1 max 90 on yesterday too) > > Any hints? > > On 07/31/2015 01:47 AM, Jakub Hrozek wrote: > > On Thu, Jul 30, 2015 at 09:50:23PM +0700, Dewangga Bachrul Alam wrote: > >> Hello! > >> > >> I don't know start from where to tracking down this issue. I found > >> another something interesting. > >> > >> 1. Set `global_policy` password expired (both min and max) to 0 (zero) > >> 2. Add user called `dummy` > >> 3. Set global_policy password expired min (1) and max (90). > >> 4. Add user called `dummy2` > >> > >> Both user dummy and dummy2 have same password expiration :D > >> This problem is same with assign sudo/group to user. > >> > >> I was set debug_level = 7 to following section in sssd.conf : > >> > >> [domain/mydomain.co.id] > >> .. debug_level = 7 .. > >> > >> [sssd] > >> .. debug_level = 7 .. > >> > >> [sudo] > >> .. debug_level = 7 .. > >> > >> I didn't find any related information about the 4 step above. > > > > I'm sorry, but I'm getting a bit confused about what is and what is not > > the problem. Can we take a step back and see what works in your > > environment and what does not? > > > > Can you describe the workflow? > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
Hello! Sorry for making you confused. The main problem is the cache on ipa server/client. How long the cache remain active and refresh with correct policy/rules. Whenever I set the sudo rules, modify another configuration (policy, etc), it's always have delay. And until now, the global_policy still didn't use correct configuration. It's still using min 0, max 0 configuration (I set this policy yesterday, and was revert it back to min 1 max 90 on yesterday too) Any hints? On 07/31/2015 01:47 AM, Jakub Hrozek wrote: > On Thu, Jul 30, 2015 at 09:50:23PM +0700, Dewangga Bachrul Alam wrote: >> Hello! >> >> I don't know start from where to tracking down this issue. I found >> another something interesting. >> >> 1. Set `global_policy` password expired (both min and max) to 0 (zero) >> 2. Add user called `dummy` >> 3. Set global_policy password expired min (1) and max (90). >> 4. Add user called `dummy2` >> >> Both user dummy and dummy2 have same password expiration :D >> This problem is same with assign sudo/group to user. >> >> I was set debug_level = 7 to following section in sssd.conf : >> >> [domain/mydomain.co.id] >> .. debug_level = 7 .. >> >> [sssd] >> .. debug_level = 7 .. >> >> [sudo] >> .. debug_level = 7 .. >> >> I didn't find any related information about the 4 step above. > > I'm sorry, but I'm getting a bit confused about what is and what is not > the problem. Can we take a step back and see what works in your > environment and what does not? > > Can you describe the workflow? > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
On Thu, Jul 30, 2015 at 09:50:23PM +0700, Dewangga Bachrul Alam wrote: > Hello! > > I don't know start from where to tracking down this issue. I found > another something interesting. > > 1. Set `global_policy` password expired (both min and max) to 0 (zero) > 2. Add user called `dummy` > 3. Set global_policy password expired min (1) and max (90). > 4. Add user called `dummy2` > > Both user dummy and dummy2 have same password expiration :D > This problem is same with assign sudo/group to user. > > I was set debug_level = 7 to following section in sssd.conf : > > [domain/mydomain.co.id] > .. debug_level = 7 .. > > [sssd] > .. debug_level = 7 .. > > [sudo] > .. debug_level = 7 .. > > I didn't find any related information about the 4 step above. I'm sorry, but I'm getting a bit confused about what is and what is not the problem. Can we take a step back and see what works in your environment and what does not? Can you describe the workflow? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
Hello! I don't know start from where to tracking down this issue. I found another something interesting. 1. Set `global_policy` password expired (both min and max) to 0 (zero) 2. Add user called `dummy` 3. Set global_policy password expired min (1) and max (90). 4. Add user called `dummy2` Both user dummy and dummy2 have same password expiration :D This problem is same with assign sudo/group to user. I was set debug_level = 7 to following section in sssd.conf : [domain/mydomain.co.id] .. debug_level = 7 .. [sssd] .. debug_level = 7 .. [sudo] .. debug_level = 7 .. I didn't find any related information about the 4 step above. On 07/30/2015 08:54 PM, Jakub Hrozek wrote: > On Thu, Jul 30, 2015 at 07:09:47PM +0700, Dewangga Bachrul Alam wrote: >> Hello Jakub! >> >> Sorry for delayed email, >> My bad, I disabled cache_credentials, not sssd_cache. > > Then I think it's completely unrelated to the sudo rules problem. > >> >> I tried modified my user `dewangga` to remove sudo rules, the cache >> still active even I restart the sssd service and delete all ccache* files. > > Yes, cache can't be completely disabled with sssd. See: > https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/ > >> >> There's no information on sssd log folder. >> >> -rw---. 1 root root0 Jul 29 19:26 krb5_child.log >> -rw---. 1 root root 105K Jul 30 04:49 ldap_child.log >> -rw---. 1 root root0 Jul 29 19:26 sssd.log >> -rw---. 1 root root0 Jul 29 19:26 sssd_merahciptamedia.co.id.log >> -rw---. 1 root root0 Jul 29 19:26 sssd_nss.log >> -rw---. 1 root root0 Jul 29 19:26 sssd_pac.log >> -rw---. 1 root root0 Jul 29 19:26 sssd_pam.log >> -rw---. 1 root root0 Jul 29 19:26 sssd_ssh.log >> -rw---. 1 root root0 Jul 29 19:26 sssd_sudo.log >> >> >> On 07/30/2015 02:33 PM, Jakub Hrozek wrote: >>> On Thu, Jul 30, 2015 at 02:26:03PM +0700, NitrouZ wrote: Hello! I set the cache value to False on sssd.conf. (On IPA server and client). >>> >>> Can you show me the exact config directive you used? >>> On Thursday, July 30, 2015, Jakub Hrozek wrote: > On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Hello! >> >> Thanks for the hints both of you, yes the sssd_cache is in play. >> I've set the cache to false, is it have any impact to ipa >> server/client (performance, security or another issue)? > > How exactly did you 'disable' the cache? The sssd cache can't be > disabled, it can either be removed manually or the cache lifetime can be > set short.. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Sent from iDewangga Device -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
On Thu, Jul 30, 2015 at 07:09:47PM +0700, Dewangga Bachrul Alam wrote: > Hello Jakub! > > Sorry for delayed email, > My bad, I disabled cache_credentials, not sssd_cache. Then I think it's completely unrelated to the sudo rules problem. > > I tried modified my user `dewangga` to remove sudo rules, the cache > still active even I restart the sssd service and delete all ccache* files. Yes, cache can't be completely disabled with sssd. See: https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/ > > There's no information on sssd log folder. > > -rw---. 1 root root0 Jul 29 19:26 krb5_child.log > -rw---. 1 root root 105K Jul 30 04:49 ldap_child.log > -rw---. 1 root root0 Jul 29 19:26 sssd.log > -rw---. 1 root root0 Jul 29 19:26 sssd_merahciptamedia.co.id.log > -rw---. 1 root root0 Jul 29 19:26 sssd_nss.log > -rw---. 1 root root0 Jul 29 19:26 sssd_pac.log > -rw---. 1 root root0 Jul 29 19:26 sssd_pam.log > -rw---. 1 root root0 Jul 29 19:26 sssd_ssh.log > -rw---. 1 root root0 Jul 29 19:26 sssd_sudo.log > > > On 07/30/2015 02:33 PM, Jakub Hrozek wrote: > > On Thu, Jul 30, 2015 at 02:26:03PM +0700, NitrouZ wrote: > >> Hello! > >> > >> I set the cache value to False on sssd.conf. (On IPA server and client). > > > > Can you show me the exact config directive you used? > > > >> > >> On Thursday, July 30, 2015, Jakub Hrozek wrote: > >> > >>> On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hello! > > Thanks for the hints both of you, yes the sssd_cache is in play. > I've set the cache to false, is it have any impact to ipa > server/client (performance, security or another issue)? > >>> > >>> How exactly did you 'disable' the cache? The sssd cache can't be > >>> disabled, it can either be removed manually or the cache lifetime can be > >>> set short.. > >>> > >>> -- > >>> Manage your subscription for the Freeipa-users mailing list: > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>> Go to http://freeipa.org for more info on the project > >>> > >> > >> > >> -- > >> Sent from iDewangga Device -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
Hello Jakub! Sorry for delayed email, My bad, I disabled cache_credentials, not sssd_cache. I tried modified my user `dewangga` to remove sudo rules, the cache still active even I restart the sssd service and delete all ccache* files. There's no information on sssd log folder. -rw---. 1 root root0 Jul 29 19:26 krb5_child.log -rw---. 1 root root 105K Jul 30 04:49 ldap_child.log -rw---. 1 root root0 Jul 29 19:26 sssd.log -rw---. 1 root root0 Jul 29 19:26 sssd_merahciptamedia.co.id.log -rw---. 1 root root0 Jul 29 19:26 sssd_nss.log -rw---. 1 root root0 Jul 29 19:26 sssd_pac.log -rw---. 1 root root0 Jul 29 19:26 sssd_pam.log -rw---. 1 root root0 Jul 29 19:26 sssd_ssh.log -rw---. 1 root root0 Jul 29 19:26 sssd_sudo.log On 07/30/2015 02:33 PM, Jakub Hrozek wrote: > On Thu, Jul 30, 2015 at 02:26:03PM +0700, NitrouZ wrote: >> Hello! >> >> I set the cache value to False on sssd.conf. (On IPA server and client). > > Can you show me the exact config directive you used? > >> >> On Thursday, July 30, 2015, Jakub Hrozek wrote: >> >>> On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello! Thanks for the hints both of you, yes the sssd_cache is in play. I've set the cache to false, is it have any impact to ipa server/client (performance, security or another issue)? >>> >>> How exactly did you 'disable' the cache? The sssd cache can't be >>> disabled, it can either be removed manually or the cache lifetime can be >>> set short.. >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> >> -- >> Sent from iDewangga Device -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
On Thu, Jul 30, 2015 at 02:26:03PM +0700, NitrouZ wrote: > Hello! > > I set the cache value to False on sssd.conf. (On IPA server and client). Can you show me the exact config directive you used? > > On Thursday, July 30, 2015, Jakub Hrozek wrote: > > > On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > > Hash: SHA1 > > > > > > Hello! > > > > > > Thanks for the hints both of you, yes the sssd_cache is in play. > > > I've set the cache to false, is it have any impact to ipa > > > server/client (performance, security or another issue)? > > > > How exactly did you 'disable' the cache? The sssd cache can't be > > disabled, it can either be removed manually or the cache lifetime can be > > set short.. > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > -- > Sent from iDewangga Device -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
Hello! I set the cache value to False on sssd.conf. (On IPA server and client). On Thursday, July 30, 2015, Jakub Hrozek wrote: > On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > Hello! > > > > Thanks for the hints both of you, yes the sssd_cache is in play. > > I've set the cache to false, is it have any impact to ipa > > server/client (performance, security or another issue)? > > How exactly did you 'disable' the cache? The sssd cache can't be > disabled, it can either be removed manually or the cache lifetime can be > set short.. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Sent from iDewangga Device -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hello! > > Thanks for the hints both of you, yes the sssd_cache is in play. > I've set the cache to false, is it have any impact to ipa > server/client (performance, security or another issue)? How exactly did you 'disable' the cache? The sssd cache can't be disabled, it can either be removed manually or the cache lifetime can be set short.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
Thanks Martin,
Yes, it is for testing only, when the ipa server ready for production, I
will enable the cache.
Once again, thank you.
On Thursday, July 30, 2015, Martin Kosek wrote:
> On 07/29/2015 05:03 PM, Dewangga wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Hello!
>>
>> Thanks for the hints both of you, yes the sssd_cache is in play.
>>
>
> Good!
>
> I've set the cache to false, is it have any impact to ipa
>> server/client (performance, security or another issue)?
>>
>
> Disabling cache for testing is fine, it is not that fine for production
> environment. Without cache enabled, SSSD would always ask server so it
> would have performance impact, yes.
>
> It should not be visible with couple clients, but once you work with big
> network, it will.
>
> On 7/29/2015 21:39, Jakub Hrozek wrote:
>>
>>> On Wed, Jul 29, 2015 at 04:32:42PM +0200, Martin Kosek wrote:
>>>
On 07/29/2015 03:22 PM, Dewangga Bachrul Alam wrote:
> Hello!
>
> I'm using FreeIPA 4.1.x on CentOS 7, Is there any delay after
> applied some rules to specified user?
>
> [root@ipa ~]# ipa sudorule-show Rule name: wheel Rule name:
> Wheel Enabled: TRUE Host category: all Command category: all
> RunAs User category: all RunAs Group category: all Sudo order:
> 1 Users: dewangga User Groups: wheel Sudo Option:
> !authenticate
>
>
> On ipa-client, user `dewangga` asking for password when
> execute command `sudo -l`
>
> [dewangga@sherief-repository ~]$ sudo -l [sudo] password for
> dewangga:
>
> Here is `ipa user-show dewangga` result :
>
> $ ipa user-show dewangga User login: dewangga First name:
> Dewangga Last name: Alam Home directory: /home/dewangga Login
> shell: /bin/bash Email address: [removed] UID: 64201 GID:
> 64201 Account disabled: False Password: False Member of
> groups: wheel Member of Sudo rule: Wheel Kerberos keys
> available: False SSH public key fingerprint: [removed]
> mahaesa-key (ssh-rsa)
>
> Any helps are appreciated. Thanks
>
I suspect that SSSD cache is in play. You can try to remove it
("man sss_cache" or remove it manually "stop sssd, remove
/var/lib/sss/db/* and start sssd again").
>>>
>>> I think restarting SSSD should help here. You can read the type of
>>> sudo refreshes sssd does in man sssd-sudo.
>>>
>>> If it doesn't, we need sssd logs.
>>>
>>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v2.0.17 (MingW32)
>>
>> iQEcBAEBAgAGBQJVuOsyAAoJEF1+odKB6YIxN8YH+gLezNhWVzS8UDipFM7cBR5b
>> xxj7M0rnkemHlvTVx5tzDkibTDzc3zLlcqX36EtdFWCp4N4uTvchnEbhzilcYW/T
>> kRCAbLtHndhknx8U+eNrKw3EtrErSaDYjADboqqjyuiUfG7xaHwsomqje2F0PvFf
>> c8wOkLxg1eLAZH3zTnZpHxW1PVx4Tdb+7RjwAEr4YFHoDhpe/k422H74ji2wPe3X
>> 5MYJSbtxEra5qfDGsFN9nRKZkVPf/useSlBVH/mtonpT2YYTkdOIJqRaZw1xAG2V
>> Dmuo4dIeZseKDg79easC2AeRtjckvjBo1NPJ4zfBtL8TJ9MZmpScOSh/zCF5miM=
>> =cKjO
>> -END PGP SIGNATURE-
>>
>>
>
--
Sent from iDewangga Device
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
On 07/29/2015 05:03 PM, Dewangga wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello!
Thanks for the hints both of you, yes the sssd_cache is in play.
Good!
I've set the cache to false, is it have any impact to ipa
server/client (performance, security or another issue)?
Disabling cache for testing is fine, it is not that fine for production
environment. Without cache enabled, SSSD would always ask server so it would
have performance impact, yes.
It should not be visible with couple clients, but once you work with big
network, it will.
On 7/29/2015 21:39, Jakub Hrozek wrote:
On Wed, Jul 29, 2015 at 04:32:42PM +0200, Martin Kosek wrote:
On 07/29/2015 03:22 PM, Dewangga Bachrul Alam wrote:
Hello!
I'm using FreeIPA 4.1.x on CentOS 7, Is there any delay after
applied some rules to specified user?
[root@ipa ~]# ipa sudorule-show Rule name: wheel Rule name:
Wheel Enabled: TRUE Host category: all Command category: all
RunAs User category: all RunAs Group category: all Sudo order:
1 Users: dewangga User Groups: wheel Sudo Option:
!authenticate
On ipa-client, user `dewangga` asking for password when
execute command `sudo -l`
[dewangga@sherief-repository ~]$ sudo -l [sudo] password for
dewangga:
Here is `ipa user-show dewangga` result :
$ ipa user-show dewangga User login: dewangga First name:
Dewangga Last name: Alam Home directory: /home/dewangga Login
shell: /bin/bash Email address: [removed] UID: 64201 GID:
64201 Account disabled: False Password: False Member of
groups: wheel Member of Sudo rule: Wheel Kerberos keys
available: False SSH public key fingerprint: [removed]
mahaesa-key (ssh-rsa)
Any helps are appreciated. Thanks
I suspect that SSSD cache is in play. You can try to remove it
("man sss_cache" or remove it manually "stop sssd, remove
/var/lib/sss/db/* and start sssd again").
I think restarting SSSD should help here. You can read the type of
sudo refreshes sssd does in man sssd-sudo.
If it doesn't, we need sssd logs.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJVuOsyAAoJEF1+odKB6YIxN8YH+gLezNhWVzS8UDipFM7cBR5b
xxj7M0rnkemHlvTVx5tzDkibTDzc3zLlcqX36EtdFWCp4N4uTvchnEbhzilcYW/T
kRCAbLtHndhknx8U+eNrKw3EtrErSaDYjADboqqjyuiUfG7xaHwsomqje2F0PvFf
c8wOkLxg1eLAZH3zTnZpHxW1PVx4Tdb+7RjwAEr4YFHoDhpe/k422H74ji2wPe3X
5MYJSbtxEra5qfDGsFN9nRKZkVPf/useSlBVH/mtonpT2YYTkdOIJqRaZw1xAG2V
Dmuo4dIeZseKDg79easC2AeRtjckvjBo1NPJ4zfBtL8TJ9MZmpScOSh/zCF5miM=
=cKjO
-END PGP SIGNATURE-
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello!
Thanks for the hints both of you, yes the sssd_cache is in play.
I've set the cache to false, is it have any impact to ipa
server/client (performance, security or another issue)?
On 7/29/2015 21:39, Jakub Hrozek wrote:
> On Wed, Jul 29, 2015 at 04:32:42PM +0200, Martin Kosek wrote:
>> On 07/29/2015 03:22 PM, Dewangga Bachrul Alam wrote:
>>> Hello!
>>>
>>> I'm using FreeIPA 4.1.x on CentOS 7, Is there any delay after
>>> applied some rules to specified user?
>>>
>>> [root@ipa ~]# ipa sudorule-show Rule name: wheel Rule name:
>>> Wheel Enabled: TRUE Host category: all Command category: all
>>> RunAs User category: all RunAs Group category: all Sudo order:
>>> 1 Users: dewangga User Groups: wheel Sudo Option:
>>> !authenticate
>>>
>>>
>>> On ipa-client, user `dewangga` asking for password when
>>> execute command `sudo -l`
>>>
>>> [dewangga@sherief-repository ~]$ sudo -l [sudo] password for
>>> dewangga:
>>>
>>> Here is `ipa user-show dewangga` result :
>>>
>>> $ ipa user-show dewangga User login: dewangga First name:
>>> Dewangga Last name: Alam Home directory: /home/dewangga Login
>>> shell: /bin/bash Email address: [removed] UID: 64201 GID:
>>> 64201 Account disabled: False Password: False Member of
>>> groups: wheel Member of Sudo rule: Wheel Kerberos keys
>>> available: False SSH public key fingerprint: [removed]
>>> mahaesa-key (ssh-rsa)
>>>
>>> Any helps are appreciated. Thanks
>>
>> I suspect that SSSD cache is in play. You can try to remove it
>> ("man sss_cache" or remove it manually "stop sssd, remove
>> /var/lib/sss/db/* and start sssd again").
>
> I think restarting SSSD should help here. You can read the type of
> sudo refreshes sssd does in man sssd-sudo.
>
> If it doesn't, we need sssd logs.
>
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJVuOsyAAoJEF1+odKB6YIxN8YH+gLezNhWVzS8UDipFM7cBR5b
xxj7M0rnkemHlvTVx5tzDkibTDzc3zLlcqX36EtdFWCp4N4uTvchnEbhzilcYW/T
kRCAbLtHndhknx8U+eNrKw3EtrErSaDYjADboqqjyuiUfG7xaHwsomqje2F0PvFf
c8wOkLxg1eLAZH3zTnZpHxW1PVx4Tdb+7RjwAEr4YFHoDhpe/k422H74ji2wPe3X
5MYJSbtxEra5qfDGsFN9nRKZkVPf/useSlBVH/mtonpT2YYTkdOIJqRaZw1xAG2V
Dmuo4dIeZseKDg79easC2AeRtjckvjBo1NPJ4zfBtL8TJ9MZmpScOSh/zCF5miM=
=cKjO
-END PGP SIGNATURE-
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
On Wed, Jul 29, 2015 at 04:32:42PM +0200, Martin Kosek wrote:
> On 07/29/2015 03:22 PM, Dewangga Bachrul Alam wrote:
> > Hello!
> >
> > I'm using FreeIPA 4.1.x on CentOS 7, Is there any delay after applied
> > some rules to specified user?
> >
> > [root@ipa ~]# ipa sudorule-show
> > Rule name: wheel
> > Rule name: Wheel
> > Enabled: TRUE
> > Host category: all
> > Command category: all
> > RunAs User category: all
> > RunAs Group category: all
> > Sudo order: 1
> > Users: dewangga
> > User Groups: wheel
> > Sudo Option: !authenticate
> >
> >
> > On ipa-client, user `dewangga` asking for password when execute command
> > `sudo -l`
> >
> > [dewangga@sherief-repository ~]$ sudo -l
> > [sudo] password for dewangga:
> >
> > Here is `ipa user-show dewangga` result :
> >
> > $ ipa user-show dewangga
> > User login: dewangga
> > First name: Dewangga
> > Last name: Alam
> > Home directory: /home/dewangga
> > Login shell: /bin/bash
> > Email address: [removed]
> > UID: 64201
> > GID: 64201
> > Account disabled: False
> > Password: False
> > Member of groups: wheel
> > Member of Sudo rule: Wheel
> > Kerberos keys available: False
> > SSH public key fingerprint: [removed] mahaesa-key (ssh-rsa)
> >
> > Any helps are appreciated.
> > Thanks
>
> I suspect that SSSD cache is in play. You can try to remove it ("man
> sss_cache"
> or remove it manually "stop sssd, remove /var/lib/sss/db/* and start sssd
> again").
I think restarting SSSD should help here. You can read the type of sudo
refreshes sssd does in man sssd-sudo.
If it doesn't, we need sssd logs.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is there any delay after applied rules to user?
On 07/29/2015 03:22 PM, Dewangga Bachrul Alam wrote:
> Hello!
>
> I'm using FreeIPA 4.1.x on CentOS 7, Is there any delay after applied
> some rules to specified user?
>
> [root@ipa ~]# ipa sudorule-show
> Rule name: wheel
> Rule name: Wheel
> Enabled: TRUE
> Host category: all
> Command category: all
> RunAs User category: all
> RunAs Group category: all
> Sudo order: 1
> Users: dewangga
> User Groups: wheel
> Sudo Option: !authenticate
>
>
> On ipa-client, user `dewangga` asking for password when execute command
> `sudo -l`
>
> [dewangga@sherief-repository ~]$ sudo -l
> [sudo] password for dewangga:
>
> Here is `ipa user-show dewangga` result :
>
> $ ipa user-show dewangga
> User login: dewangga
> First name: Dewangga
> Last name: Alam
> Home directory: /home/dewangga
> Login shell: /bin/bash
> Email address: [removed]
> UID: 64201
> GID: 64201
> Account disabled: False
> Password: False
> Member of groups: wheel
> Member of Sudo rule: Wheel
> Kerberos keys available: False
> SSH public key fingerprint: [removed] mahaesa-key (ssh-rsa)
>
> Any helps are appreciated.
> Thanks
I suspect that SSSD cache is in play. You can try to remove it ("man sss_cache"
or remove it manually "stop sssd, remove /var/lib/sss/db/* and start sssd
again").
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
[Freeipa-users] Is there any delay after applied rules to user?
Hello! I'm using FreeIPA 4.1.x on CentOS 7, Is there any delay after applied some rules to specified user? [root@ipa ~]# ipa sudorule-show Rule name: wheel Rule name: Wheel Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all Sudo order: 1 Users: dewangga User Groups: wheel Sudo Option: !authenticate On ipa-client, user `dewangga` asking for password when execute command `sudo -l` [dewangga@sherief-repository ~]$ sudo -l [sudo] password for dewangga: Here is `ipa user-show dewangga` result : $ ipa user-show dewangga User login: dewangga First name: Dewangga Last name: Alam Home directory: /home/dewangga Login shell: /bin/bash Email address: [removed] UID: 64201 GID: 64201 Account disabled: False Password: False Member of groups: wheel Member of Sudo rule: Wheel Kerberos keys available: False SSH public key fingerprint: [removed] mahaesa-key (ssh-rsa) Any helps are appreciated. Thanks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
