Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Cory, Thanks for the update and link. And a big thanks to everyone else for their time looking at this. I also was able to install the referenced .deb and now sudo works as expected. Jeff On Tue, Aug 30, 2016 at 12:46 PM, Cory Francis Myers < c...@trinitymobilenetworks.com> wrote: > Pavel

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Pavel Březina | Tue, 30 Aug 2016 02:59:55 -0700: > unfortunately sudo 1.8.16 introduced a bug in sssd plugin. 1.8.16 > contains a new option called netgroup_tuple, which tells whether a > full netgroup tuply is check or only the host/user part in host/user > check. However, the patch didn't make

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Pavel Březina | Tue, 30 Aug 2016 02:59:55 -0700: > unfortunately sudo 1.8.16 introduced a bug in sssd plugin. 1.8.16 > contains a new option called netgroup_tuple, which tells whether a > full netgroup tuply is check or only the host/user part in host/user > check. However, the patch didn't make

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

On 08/26/2016 02:15 PM, Jeff Goddard wrote: Pavel, I appreciate that you're busy and thank you for taking time to look at this. Here is the output: [root@id-management-1 ~]# ipa sudorule-show Rule name: all Rule name: All Description: Full sudo access for Developer group in office

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Pavel, I appreciate that you're busy and thank you for taking time to look at this. Here is the output: [root@id-management-1 ~]# ipa sudorule-show Rule name: all Rule name: All Description: Full sudo access for Developer group in office environment Enabled: TRUE Command category: all

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

On 08/25/2016 08:01 PM, Jeff Goddard wrote: I'm still hoping someone can offer additional help. I see in the apt term.log these errors when downloading the freeipa-client package. Could this be the problem? Hi, I'm sorry, I somehow overlooked this thread. Can you provide output of ipa

[Freeipa-users] sudo rules question on ubuntu 16.0.1

We are seeing the same problem (correct group membership; matching HBAC rules retrieved by sssd and rejected by sudo) on a new Ubuntu 16.04 client joining a realm of existing (and working) Ubuntu 15.10 hosts, despite identical "/etc/sssd/sssd.conf" files. Master: root@hades:~# cat

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

I'm still hoping someone can offer additional help. I see in the apt term.log these errors when downloading the freeipa-client package. Could this be the problem? Creating SSSD system user & group... adduser: Warning: The home directory `/var/lib/sss' does not belong to the user you are currently

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Just some additional information, this is a default install however as a modification after running the ipa-client-install executable I followed these instructions so that users get an automatically-created home directory:

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Hi Pavel, can you help us with this thread? > On 12 Aug 2016, at 21:57, Jeff Goddard wrote: > > > > On Fri, Aug 12, 2016 at 3:53 PM, Justin Stephenson > wrote: > In the CentOS/RHEL 7 version of sssd, a NIS netgroup is created automatically > in

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

On Fri, Aug 12, 2016 at 3:53 PM, Justin Stephenson wrote: > In the CentOS/RHEL 7 version of sssd, a NIS netgroup is created > automatically in the IPA compat tree under 'cn=ng,cn=compat,$suffix' > because sudo has no understanding of hostgroups. > > You should be able to

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

In the CentOS/RHEL 7 version of sssd, a NIS netgroup is created automatically in the IPA compat tree under 'cn=ng,cn=compat,$suffix' because sudo has no understanding of hostgroups. You should be able to query this on a client with # getent netgroup office This should return

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

I made the edit as suggested - removing nis and just leaving sss - restarted sssd and then re-tried. I also tried with files sss. Still getting the same result. Thanks, Jeff On Fri, Aug 12, 2016 at 2:27 PM, Justin Stephenson wrote: > This looks suspicious > > *Aug 12

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

This looks suspicious /Aug 12 08:45:00 sudo[31732] val[0]=+office// //Aug 12 08:45:00 sudo[31732] -> addr_matches @ /build/sudo-L2mAoN/sudo-1.8.16/plugins/sudoers/match_addr.c:195// //Aug 12 08:45:00 sudo[31732] -> addr_matches_if @

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

The rule is defined that all members of the developer group have sudo access to all commands available on the machines in the office group. Jeff On Fri, Aug 12, 2016 at 9:58 AM, Jakub Hrozek wrote: > On Fri, Aug 12, 2016 at 08:53:53AM -0400, Jeff Goddard wrote: > > Jakub, >

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

On Fri, Aug 12, 2016 at 08:53:53AM -0400, Jeff Goddard wrote: > Jakub, > > Here is the log file output: How is the sudorule defined? > Aug 12 08:45:00 sudo[31732] user_in_group: user jgoddard NOT in group admin > Aug 12 08:45:00 sudo[31732] <- user_in_group @ >

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

On Fri, Aug 12, 2016 at 08:31:52AM -0400, Jeff Goddard wrote: > Jakub, > > I apologize for my ignorance, can you give me the syntax for that? In the > file I created I only added the statement "debug_level=9". Adding a > "log_file=/var/log/sudo.log" statement does not produce a file. Googling >

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Jakub, I apologize for my ignorance, can you give me the syntax for that? In the file I created I only added the statement "debug_level=9". Adding a "log_file=/var/log/sudo.log" statement does not produce a file. Googling for syntax returns a bunch of results for the sudoers file. Also of note,

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

On Thu, Aug 11, 2016 at 05:02:49PM -0400, Jeff Goddard wrote: > Manually creating the file and then restarting the service and performing So according to this: > (Thu Aug 11 16:58:29 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [jgodd...@internal.emerlyn.com] > (Thu

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Hello, Could you increase the debug level to 9, restart sssd + clear the cache and reproduce the problem then provide the sssd_.log as well as the sssd_sudo.log ? Also you may want to rule out HBAC issues with the below command: # ipa hbactest --user 'jgoddard' --host $(hostname)

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Here is relevant configuration files: *nsswitch.conf:* passwd: compat sss group: compat sss shadow: compat sss gshadow:files hosts: files dns networks: files protocols: db files services: db files sss ethers: db files rpc:

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Jeff Goddard wrote: I've looked though these but not found anything helpful. It appears as though my previous statement about the 1 group being found was misleading as the sssd.$mydomain.com.log file reports that no sudo rules are found. Does this mean that the LDAP tree being searched is

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

I've looked though these but not found anything helpful. It appears as though my previous statement about the 1 group being found was misleading as the sssd.$mydomain.com.log file reports that no sudo rules are found. Does this mean that the LDAP tree being searched is different on ubuntu vs

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Jeff Goddard wrote: Sean, Thanks for the reply. I don't think that's my problem but I'm posting a redacted copy of the sssd.conf file for review below. I'd start here: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO rob -- Manage your subscription for the Freeipa-users mailing

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

many > centos 7.2 clients. I also have a sudo rule that allows member of > > From: Jeff Goddard <jgodd...@emerlyn.com> > To: freeipa-users@redhat.com > Date: 08/10/2016 10:52 AM > Subject: [Freeipa-users] sudo rules question on ubuntu 16.0.1 > Sent by: freeipa-users-boun...

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

-users@redhat.com Date: 08/10/2016 10:52 AM Subject: [Freeipa-users] sudo rules question on ubuntu 16.0.1 Sent by:freeipa-users-boun...@redhat.com I've got a freeipa domain and many centos 7.2 clients. I also have a sudo rule that allows member of the developer group sudo rights on v

[Freeipa-users] sudo rules question on ubuntu 16.0.1

I've got a freeipa domain and many centos 7.2 clients. I also have a sudo rule that allows member of the developer group sudo rights on virtual servers in the "development" group. This works great on the centos servers. However, I recently set up 3 ubuntu boxes, and added them to the IPA domain