Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (14/07/16 13:52), Tomas Simecek wrote: >Hi Lukas, >sorry to say, but nothing helps. > >I have just updated IPA server, so that now it is: >[root@svlxxipap ~]# cat /etc/redhat-release >CentOS Linux release 7.2.1511 (Core) > >with: >[root@svlxxipap ~]# rpm -qa|grep ipa

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Hi Lukas, sorry to say, but nothing helps. I have just updated IPA server, so that now it is: [root@svlxxipap ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) with: [root@svlxxipap ~]# rpm -qa|grep ipa ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.17.x86_64

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (14/07/16 13:06), Tomas Simecek wrote: >Hi Lukas, >I did as you said. >Logs are attached to this mail. > Thank you very much for provided data. The main problem is that full refresh of sudo rules did not store any rules. It might be caused by following errors which might be caused by issues

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (14/07/16 12:43), Tomas Simecek wrote: >Thanks Lukas, >to be honest I am not sure what do you mean by "Please test with id >simecek.to...@sd-stc.cz." >It is the user I am testing with all the time. > >Here is what I see on client where sudo does not work: >[simecek.to...@sd-stc.cz@zp-cml-test

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Thanks Lukas, to be honest I am not sure what do you mean by "Please test with id simecek.to...@sd-stc.cz." It is the user I am testing with all the time. Here is what I see on client where sudo does not work: [simecek.to...@sd-stc.cz@zp-cml-test ~]$ id uid=988604700(simecek.to...@sd-stc.cz)

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (14/07/16 11:26), Tomas Simecek wrote: >Hi Lukas, >we have Active Directory group "UnixAdmins" >. >We have IPA external group ad_admins_external >, which has >Windows "UnixAdmins" group as a member. >We have local IPA group

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Hi Rob, thanks, but this is not the case. Firstly, for initial test purposes I am not limiting sudo to specific commands, in the rule it is set to "any". Secondly, it fails even in non-symlink cases: [root@zp-cml-test ~]# which service /sbin/service [root@zp-cml-test ~]# ll /sbin/service

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

hi, just a long shot here.. I've been battling sudo for a couple days now and found that my issue was one related to symlinks on centos7 'which cat' says /bin/cat but on centos /bin is a symlink to /usr/bin and sudo knows a symlink when it sees one and to prevent abuse it requires the 'real'

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Hi Lukas, we have Active Directory group "UnixAdmins" . We have IPA external group ad_admins_external , which has Windows "UnixAdmins" group as a member. We have local IPA group grpunixadmins

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (14/07/16 10:09), Tomas Simecek wrote: >Thanks all of you guys, >I have updated to: >sssd-krb5-common-1.13.3-22.el6_8.4.x86_64 >sssd-1.13.3-22.el6_8.4.x86_64 >sssd-ldap-1.13.3-22.el6_8.4.x86_64 >sssd-client-1.13.3-22.el6_8.4.x86_64 >sssd-ad-1.13.3-22.el6_8.4.x86_64

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (13/07/16 10:32), Danila Ladner wrote: >Update to this one: >It has been running smoothly on 6.5 > >[root@dev-zlei.sec1 ~]# cat /etc/redhat-release >CentOS release 6.5 (Final) > >[root@dev-zlei.sec1 ~]# rpm -qa | grep sssd >sssd-client-1.12.4-47.el6.x86_64 >sssd-ldap-1.12.4-47.el6.x86_64

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Update to this one: It has been running smoothly on 6.5 [root@dev-zlei.sec1 ~]# cat /etc/redhat-release CentOS release 6.5 (Final) [root@dev-zlei.sec1 ~]# rpm -qa | grep sssd sssd-client-1.12.4-47.el6.x86_64 sssd-ldap-1.12.4-47.el6.x86_64 sssd-ad-1.12.4-47.el6.x86_64

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Thanks, I will try. But I am afraid to update to more recent version then those in official repos. Thanks anyway. T. 2016-07-13 15:39 GMT+02:00 : > Update to at least 1.12 sssd and libsss_sudo. As I recall sudo ipa > provider did not work under 1.11 > > Sent from my

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Update to at least 1.12 sssd and libsss_sudo. As I recall sudo ipa provider did not work under 1.11 Sent from my iPhone > On Jul 13, 2016, at 9:02 AM, Tomas Simecek wrote: > > Hi, > versions are: > sssd-client-1.11.6-30.el6.x86_64 > sssd-ipa-1.11.6-30.el6.x86_64 >

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Hi, versions are: sssd-client-1.11.6-30.el6.x86_64 sssd-ipa-1.11.6-30.el6.x86_64 ipa-client-3.0.0-50.el6.centos.1.x86_64 as part of: CentOS release 6.6 (Final) T. 2016-07-13 14:52 GMT+02:00 : > Again what is client version on 6.5? > > > Sent from my iPhone > > On Jul

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Again what is client version on 6.5? Sent from my iPhone > On Jul 13, 2016, at 8:25 AM, Tomas Simecek wrote: > > Thanks for your information Lukas, > I have changed sudo_provider to ipa, restarted sssd and no difference. > Logfile still says "Access granted by HBAC

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Thanks for your information Lukas, I have changed sudo_provider to ipa, restarted sssd and no difference. Logfile still says "Access granted by HBAC rule..." and sudo says simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test. Btw. man sssd-sudo says: The following example shows how

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (13/07/16 13:36), Tomas Simecek wrote: >Lukas, >yes, I went through that guide and I configured sssd.conf as per the doc >(you can see it in the beginning of the thread). > >Actually the installation is: >[root@zp-cml-test sssd]# cat /etc/redhat-release >CentOS release 6.6 (Final) > >and

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Lukas, yes, I went through that guide and I configured sssd.conf as per the doc (you can see it in the beginning of the thread). Actually the installation is: [root@zp-cml-test sssd]# cat /etc/redhat-release CentOS release 6.6 (Final) and versions are: [root@zp-cml-test sssd]# rpm -qa |grep sssd

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (13/07/16 11:18), Tomas Simecek wrote: >Dear freeIPA gurus, >in previous thread ( >https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you >helped me make sudo working for AD users on Centos 7.0 ( >spcss-2t-www.linuxdomain.cz). >It was caused by not knowing sudo needs to be

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Diky Jakube, in domain log below I can see that rules were found properly: (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On Wed, Jul 13, 2016 at 11:18:21AM +0200, Tomas Simecek wrote: > Dear freeIPA gurus, > in previous thread ( > https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you > helped me make sudo working for AD users on Centos 7.0 ( > spcss-2t-www.linuxdomain.cz). > It was caused by not

[Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Dear freeIPA gurus, in previous thread ( https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you helped me make sudo working for AD users on Centos 7.0 ( spcss-2t-www.linuxdomain.cz). It was caused by not knowing sudo needs to be enabled in HBAC rules. Now it works properly on