subject:"Re\: \[Freeipa\-users\] Sudo denied on first attempt, allowed on second attempt"

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

2014-03-04 Thread Jakub Hrozek

On Mon, Mar 03, 2014 at 02:01:52PM -0500, Steve Dainard wrote:
> Hi Jakub, id info from earlier response:
> 
> > Very interesting, my IPA group membership in ad_admins isn't
> > shown by
> > that command on first run (new login)
> >
> > sdainard-ad...@miovision.corp@__ubu1310:~$ id sdainard-admin
> > uid=799002462(sdainard-admin@__miovision.corp)
> > gid=799002462(sdainard-admin@__miovision.corp)
> > groups=799002462(sdainard-__ad...@miovision.corp),__
> 799001380(accounting-share-__acc...@miovision.corp),__
> 799001417(protected-share-__acc...@miovision.corp),__799000519(enterprise
> > adm...@miovision.corp),__799001416(hr-share-access@__
> miovision.corp),799000512(__domain
> > adm...@miovision.corp),__799000513(domain
> > us...@miovision.corp),__799002464(it -
> > adm...@miovision.corp),__799002469(kloperators@__
> miovision.corp),799002468(__kladm...@miovision.corp)
> >
> > sdainard-ad...@miovision.corp@__ubu1310:~$ sudo su
> > [sudo] password for sdainard-ad...@miovision.corp:
> > sdainard-ad...@miovision.corp is not allowed to run sudo on
> ubu1310.
> >This incident will be reported.
> >
> > But after attempting the sudo command my groups do contain the IPA
> > groups admins,ad_admins:
> >
> > sdainard-ad...@miovision.corp@__ubu1310:~$ id sdainard-admin
> > uid=799002462(sdainard-admin@__miovision.corp)
> > gid=799002462(sdainard-admin@__miovision.corp)
> > groups=799002462(sdainard-__ad...@miovision.corp),__
> 799001380(accounting-share-__acc...@miovision.corp),__
> 799001417(protected-share-__acc...@miovision.corp),__799000519(enterprise
> > adm...@miovision.corp),__799001416(hr-share-access@__
> miovision.corp),799000512(__domain
> > adm...@miovision.corp),__799000513(domain
> > us...@miovision.corp),__799002464(it -
> > adm...@miovision.corp),__799002469(kloperators@__
> miovision.corp),799002468(__kladm...@miovision.corp),*__
> 176820(admins),176824(__ad_admins)*
> >

Interesting, I would have thought that both sudo and id after login
yield the same information. Can you send the SSSD logs? Feel free to
send them privately.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

2014-03-03 Thread Steve Dainard

Sumit,

Unfortunately 1.11.1 is the only version available for Ubuntu 13.10.

I've also had the same problem with an updated version of Fedora 20, so I
don't think its specific to this package version.

*Steve Dainard *
IT Infrastructure Manager
Miovision  | *Rethink Traffic*

*Blog   |  **LinkedIn
  |  Twitter
  |  Facebook
*
--
 Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.


On Mon, Mar 3, 2014 at 2:01 PM, Steve Dainard wrote:

> Hi Jakub, id info from earlier response:
>
> > Very interesting, my IPA group membership in ad_admins isn't
> > shown by
> > that command on first run (new login)
> >
> > sdainard-ad...@miovision.corp@__ubu1310:~$ id sdainard-admin
> > uid=799002462(sdainard-admin@__miovision.corp)
> > gid=799002462(sdainard-admin@__miovision.corp)
> > groups=799002462(sdainard-__ad...@miovision.corp),__
> 799001380(accounting-share-__acc...@miovision.corp),__
> 799001417(protected-share-__acc...@miovision.corp),__799000519(enterprise
> > adm...@miovision.corp),__799001416(hr-share-access@__
> miovision.corp),799000512(__domain
> > adm...@miovision.corp),__799000513(domain
> > us...@miovision.corp),__799002464(it -
> > adm...@miovision.corp),__799002469(kloperators@__
> miovision.corp),799002468(__kladm...@miovision.corp)
> >
> > sdainard-ad...@miovision.corp@__ubu1310:~$ sudo su
> > [sudo] password for sdainard-ad...@miovision.corp:
> > sdainard-ad...@miovision.corp is not allowed to run sudo on
> ubu1310.
> >This incident will be reported.
> >
> > But after attempting the sudo command my groups do contain the
> IPA
> > groups admins,ad_admins:
> >
> > sdainard-ad...@miovision.corp@__ubu1310:~$ id sdainard-admin
> > uid=799002462(sdainard-admin@__miovision.corp)
> > gid=799002462(sdainard-admin@__miovision.corp)
> > groups=799002462(sdainard-__ad...@miovision.corp),__
> 799001380(accounting-share-__acc...@miovision.corp),__
> 799001417(protected-share-__acc...@miovision.corp),__799000519(enterprise
> > adm...@miovision.corp),__799001416(hr-share-access@__
> miovision.corp),799000512(__domain
> > adm...@miovision.corp),__799000513(domain
> > us...@miovision.corp),__799002464(it -
> > adm...@miovision.corp),__799002469(kloperators@__
> miovision.corp),799002468(__kladm...@miovision.corp),*__
> 176820(admins),176824(__ad_admins)*
> >
>
> *Steve Dainard *
> IT Infrastructure Manager
> Miovision  | *Rethink Traffic*
>
> *Blog   |  **LinkedIn
>   |  Twitter
>   |  Facebook
> *
> --
>  Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener,
> ON, Canada | N2C 1L3
> This e-mail may contain information that is privileged or confidential. If
> you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
>
>
> On Mon, Feb 24, 2014 at 10:55 AM, Jakub Hrozek  wrote:
>
>> On Mon, Feb 24, 2014 at 10:46:19AM -0500, Pavel Brezina wrote:
>> > Hi,
>> > I wasn't able to reproduce with membership setup exactly like this. I
>> > have already seen similar problem once, unfortunately the user stopped
>> > responding before we could reach the root cause. I think it is correct
>> > from the sudo point of view, what is problematic here is missing group
>> > membership.
>> >
>> > It seems that membership of trusted user is not resolved correctly.
>> > Sumit, Jakub, do you have any ideas?
>>
>> Did you verify if "id" prints the expected groups for the user in question
>> after he logs in? I think we need to first verify if the memberships are
>> stored correctly to the cache..
>>
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

2014-03-03 Thread Steve Dainard

Hi Jakub, id info from earlier response:

> Very interesting, my IPA group membership in ad_admins isn't
> shown by
> that command on first run (new login)
>
> sdainard-ad...@miovision.corp@__ubu1310:~$ id sdainard-admin
> uid=799002462(sdainard-admin@__miovision.corp)
> gid=799002462(sdainard-admin@__miovision.corp)
> groups=799002462(sdainard-__ad...@miovision.corp),__
799001380(accounting-share-__acc...@miovision.corp),__
799001417(protected-share-__acc...@miovision.corp),__799000519(enterprise
> adm...@miovision.corp),__799001416(hr-share-access@__
miovision.corp),799000512(__domain
> adm...@miovision.corp),__799000513(domain
> us...@miovision.corp),__799002464(it -
> adm...@miovision.corp),__799002469(kloperators@__
miovision.corp),799002468(__kladm...@miovision.corp)
>
> sdainard-ad...@miovision.corp@__ubu1310:~$ sudo su
> [sudo] password for sdainard-ad...@miovision.corp:
> sdainard-ad...@miovision.corp is not allowed to run sudo on
ubu1310.
>This incident will be reported.
>
> But after attempting the sudo command my groups do contain the IPA
> groups admins,ad_admins:
>
> sdainard-ad...@miovision.corp@__ubu1310:~$ id sdainard-admin
> uid=799002462(sdainard-admin@__miovision.corp)
> gid=799002462(sdainard-admin@__miovision.corp)
> groups=799002462(sdainard-__ad...@miovision.corp),__
799001380(accounting-share-__acc...@miovision.corp),__
799001417(protected-share-__acc...@miovision.corp),__799000519(enterprise
> adm...@miovision.corp),__799001416(hr-share-access@__
miovision.corp),799000512(__domain
> adm...@miovision.corp),__799000513(domain
> us...@miovision.corp),__799002464(it -
> adm...@miovision.corp),__799002469(kloperators@__
miovision.corp),799002468(__kladm...@miovision.corp),*__
176820(admins),176824(__ad_admins)*
>

*Steve Dainard *
IT Infrastructure Manager
Miovision  | *Rethink Traffic*

*Blog   |  **LinkedIn
  |  Twitter
  |  Facebook
*
--
 Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.


On Mon, Feb 24, 2014 at 10:55 AM, Jakub Hrozek  wrote:

> On Mon, Feb 24, 2014 at 10:46:19AM -0500, Pavel Brezina wrote:
> > Hi,
> > I wasn't able to reproduce with membership setup exactly like this. I
> > have already seen similar problem once, unfortunately the user stopped
> > responding before we could reach the root cause. I think it is correct
> > from the sudo point of view, what is problematic here is missing group
> > membership.
> >
> > It seems that membership of trusted user is not resolved correctly.
> > Sumit, Jakub, do you have any ideas?
>
> Did you verify if "id" prints the expected groups for the user in question
> after he logs in? I think we need to first verify if the memberships are
> stored correctly to the cache..
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

2014-02-24 Thread Sumit Bose

On Mon, Feb 24, 2014 at 10:46:19AM -0500, Pavel Brezina wrote:
> Hi,
> I wasn't able to reproduce with membership setup exactly like this. I 
> have already seen similar problem once, unfortunately the user stopped 
> responding before we could reach the root cause. I think it is correct 
> from the sudo point of view, what is problematic here is missing group 
> membership.
> 
> It seems that membership of trusted user is not resolved correctly. 
> Sumit, Jakub, do you have any ideas?
> 
> On 02/19/2014 03:27 PM, Steve Dainard wrote:

...

> >
> >  sssd: 1.11.1
> >

Do you have a chance to update at least to 1.11.3? 1.11.4 would be even
better. There were couple of improvements and fixes to AD group handling
in 1.11.2 and 1.11.3.

bye,
Sumit

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

2014-02-24 Thread Jakub Hrozek

On Mon, Feb 24, 2014 at 10:46:19AM -0500, Pavel Brezina wrote:
> Hi,
> I wasn't able to reproduce with membership setup exactly like this. I 
> have already seen similar problem once, unfortunately the user stopped 
> responding before we could reach the root cause. I think it is correct 
> from the sudo point of view, what is problematic here is missing group 
> membership.
> 
> It seems that membership of trusted user is not resolved correctly. 
> Sumit, Jakub, do you have any ideas?

Did you verify if "id" prints the expected groups for the user in question
after he logs in? I think we need to first verify if the memberships are
stored correctly to the cache..

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

2014-02-24 Thread Pavel Brezina

Hi,
I wasn't able to reproduce with membership setup exactly like this. I 
have already seen similar problem once, unfortunately the user stopped 
responding before we could reach the root cause. I think it is correct 
from the sudo point of view, what is problematic here is missing group 
membership.

It seems that membership of trusted user is not resolved correctly. 
Sumit, Jakub, do you have any ideas?

On 02/19/2014 03:27 PM, Steve Dainard wrote:
> Hi Pavel,
>
> sdainard-admin is a Windows domain user, part of an external group
> 'ad_admins_external' which is a member of 'ad_admins', an ipa posix group.
>
> 'admins' groups is the built-in ipa admin group.
>
> ipa group-show admins
>Group name: admins
>Description: Account administrators group
>GID: 176820
>Member users: admin
>Member groups: ad_admins
>Member of Sudo rule: ad_admins
>Indirect Member groups: ad_admins_external
>
> ipa group-show ad_admins
>Group name: ad_admins
>Description: miovision.corp admins
>GID: 176824
>Member users: admin
>Member groups: ad_admins_external
>Member of groups: admins
>Member of Sudo rule: ad_admins, All
>
> Thanks,
>
> *Steve Dainard *
> IT Infrastructure Manager
> Miovision  | /Rethink Traffic/
>
> *Blog   | **LinkedIn
>   | Twitter
>   | Facebook
> *
> 
> Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener,
> ON, Canada | N2C 1L3
> This e-mail may contain information that is privileged or confidential.
> If you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
>
>
> On Wed, Feb 19, 2014 at 8:48 AM, Pavel Březina  > wrote:
>
> On 02/18/2014 10:32 PM, Steve Dainard wrote:
>
> Hi Pavel,
>
> Very interesting, my IPA group membership in ad_admins isn't
> shown by
> that command on first run (new login)
>
> sdainard-ad...@miovision.corp@__ubu1310:~$ id sdainard-admin
> uid=799002462(sdainard-admin@__miovision.corp)
> gid=799002462(sdainard-admin@__miovision.corp)
> 
> groups=799002462(sdainard-__ad...@miovision.corp),__799001380(accounting-share-__acc...@miovision.corp),__799001417(protected-share-__acc...@miovision.corp),__799000519(enterprise
> 
> adm...@miovision.corp),__799001416(hr-share-access@__miovision.corp),799000512(__domain
> adm...@miovision.corp),__799000513(domain
> us...@miovision.corp),__799002464(it -
> 
> adm...@miovision.corp),__799002469(kloperators@__miovision.corp),799002468(__kladm...@miovision.corp)
>
> sdainard-ad...@miovision.corp@__ubu1310:~$ sudo su
> [sudo] password for sdainard-ad...@miovision.corp:
> sdainard-ad...@miovision.corp is not allowed to run sudo on ubu1310.
>This incident will be reported.
>
> But after attempting the sudo command my groups do contain the IPA
> groups admins,ad_admins:
>
> sdainard-ad...@miovision.corp@__ubu1310:~$ id sdainard-admin
> uid=799002462(sdainard-admin@__miovision.corp)
> gid=799002462(sdainard-admin@__miovision.corp)
> 
> groups=799002462(sdainard-__ad...@miovision.corp),__799001380(accounting-share-__acc...@miovision.corp),__799001417(protected-share-__acc...@miovision.corp),__799000519(enterprise
> 
> adm...@miovision.corp),__799001416(hr-share-access@__miovision.corp),799000512(__domain
> adm...@miovision.corp),__799000513(domain
> us...@miovision.corp),__799002464(it -
> 
> adm...@miovision.corp),__799002469(kloperators@__miovision.corp),799002468(__kladm...@miovision.corp),*__176820(admins),176824(__ad_admins)*
>
>
> sdainard-ad...@miovision.corp@__ubu1310:~$ sudo su
> [sudo] password for sdainard-ad...@miovision.corp:
> root@ubu1310:/home/miovision.__corp/sdainard-admin#
>
>
> Sudo rule (I had to create this, apparently its a default rule, but
> didn't exist in my install on RHEL7 beta):
> Rule name: All
> Enabled: TRUE
> Host category: all
> Command category: all
> RunAs User category: all
> RunAs Group category: all
> User Groups: ad_admins
>
>
> Can you tell me more information about admins and ad_admins groups
> and sdainard-admin? I would like to know how the membership is
> configured and what is their relation to AD. Dump of ipa user-show
> and ipa group-show should be enough, I think.
>
>
> I saw the new dns update option (and refresh timers!), thanks.
>
> *Steve Dainard *
> IT Infrastructure Manager
> Miovision  | /R

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

2014-02-19 Thread Steve Dainard

Hi Pavel,

sdainard-admin is a Windows domain user, part of an external group
'ad_admins_external' which is a member of 'ad_admins', an ipa posix group.

'admins' groups is the built-in ipa admin group.

ipa group-show admins
  Group name: admins
  Description: Account administrators group
  GID: 176820
  Member users: admin
  Member groups: ad_admins
  Member of Sudo rule: ad_admins
  Indirect Member groups: ad_admins_external

ipa group-show ad_admins
  Group name: ad_admins
  Description: miovision.corp admins
  GID: 176824
  Member users: admin
  Member groups: ad_admins_external
  Member of groups: admins
  Member of Sudo rule: ad_admins, All

Thanks,

*Steve Dainard *
IT Infrastructure Manager
Miovision  | *Rethink Traffic*

*Blog   |  **LinkedIn
  |  Twitter
  |  Facebook
*
--
 Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.


On Wed, Feb 19, 2014 at 8:48 AM, Pavel Březina  wrote:

> On 02/18/2014 10:32 PM, Steve Dainard wrote:
>
>> Hi Pavel,
>>
>> Very interesting, my IPA group membership in ad_admins isn't shown by
>> that command on first run (new login)
>>
>> sdainard-ad...@miovision.corp@ubu1310:~$ id sdainard-admin
>> uid=799002462(sdainard-ad...@miovision.corp)
>> gid=799002462(sdainard-ad...@miovision.corp)
>> groups=799002462(sdainard-ad...@miovision.corp),
>> 799001380(accounting-share-acc...@miovision.corp),
>> 799001417(protected-share-acc...@miovision.corp),799000519(enterprise
>> adm...@miovision.corp),799001416(hr-share-access@
>> miovision.corp),799000512(domain
>> adm...@miovision.corp),799000513(domain
>> us...@miovision.corp),799002464(it -
>> adm...@miovision.corp),799002469(kloperat...@miovision.corp),799002468(
>> kladm...@miovision.corp)
>>
>> sdainard-ad...@miovision.corp@ubu1310:~$ sudo su
>> [sudo] password for sdainard-ad...@miovision.corp:
>> sdainard-ad...@miovision.corp is not allowed to run sudo on ubu1310.
>>   This incident will be reported.
>>
>> But after attempting the sudo command my groups do contain the IPA
>> groups admins,ad_admins:
>>
>> sdainard-ad...@miovision.corp@ubu1310:~$ id sdainard-admin
>> uid=799002462(sdainard-ad...@miovision.corp)
>> gid=799002462(sdainard-ad...@miovision.corp)
>> groups=799002462(sdainard-ad...@miovision.corp),
>> 799001380(accounting-share-acc...@miovision.corp),
>> 799001417(protected-share-acc...@miovision.corp),799000519(enterprise
>> adm...@miovision.corp),799001416(hr-share-access@
>> miovision.corp),799000512(domain
>> adm...@miovision.corp),799000513(domain
>> us...@miovision.corp),799002464(it -
>> adm...@miovision.corp),799002469(kloperat...@miovision.corp),799002468(
>> kladm...@miovision.corp),*176820(admins),176824(ad_admins)*
>>
>>
>> sdainard-ad...@miovision.corp@ubu1310:~$ sudo su
>> [sudo] password for sdainard-ad...@miovision.corp:
>> root@ubu1310:/home/miovision.corp/sdainard-admin#
>>
>>
>> Sudo rule (I had to create this, apparently its a default rule, but
>> didn't exist in my install on RHEL7 beta):
>>Rule name: All
>>Enabled: TRUE
>>Host category: all
>>Command category: all
>>RunAs User category: all
>>RunAs Group category: all
>>User Groups: ad_admins
>>
>
> Can you tell me more information about admins and ad_admins groups and
> sdainard-admin? I would like to know how the membership is configured and
> what is their relation to AD. Dump of ipa user-show and ipa group-show
> should be enough, I think.
>
>
>> I saw the new dns update option (and refresh timers!), thanks.
>>
>> *Steve Dainard *
>> IT Infrastructure Manager
>> Miovision  | /Rethink Traffic/
>>
>> *Blog   | **LinkedIn
>>   | Twitter
>>   | Facebook
>> *
>> 
>> Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener,
>> ON, Canada | N2C 1L3
>> This e-mail may contain information that is privileged or confidential.
>> If you are not the intended recipient, please delete the e-mail and any
>> attachments and notify us immediately.
>>
>>
>> On Tue, Feb 18, 2014 at 5:27 AM, Pavel Březina > > wrote:
>>
>> On 02/17/2014 10:29 PM, Steve Dainard wrote:
>>
>> I can't reproduce consistently on any OS including Fedora 20,
>> but I was
>> able to trigger the issue on a Ubuntu 13.10 client.
>>
>> sssd: 1.11.1
>>
>> sudo: 1.8.6p3-0ubuntu3
>>
>> I have only

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

2014-02-19 Thread Pavel Březina


On 02/18/2014 10:32 PM, Steve Dainard wrote:

Hi Pavel,

Very interesting, my IPA group membership in ad_admins isn't shown by
that command on first run (new login)

sdainard-ad...@miovision.corp@ubu1310:~$ id sdainard-admin
uid=799002462(sdainard-ad...@miovision.corp)
gid=799002462(sdainard-ad...@miovision.corp)
groups=799002462(sdainard-ad...@miovision.corp),799001380(accounting-share-acc...@miovision.corp),799001417(protected-share-acc...@miovision.corp),799000519(enterprise
adm...@miovision.corp),799001416(hr-share-acc...@miovision.corp),799000512(domain
adm...@miovision.corp),799000513(domain
us...@miovision.corp),799002464(it -
adm...@miovision.corp),799002469(kloperat...@miovision.corp),799002468(kladm...@miovision.corp)

sdainard-ad...@miovision.corp@ubu1310:~$ sudo su
[sudo] password for sdainard-ad...@miovision.corp:
sdainard-ad...@miovision.corp is not allowed to run sudo on ubu1310.
  This incident will be reported.

But after attempting the sudo command my groups do contain the IPA
groups admins,ad_admins:

sdainard-ad...@miovision.corp@ubu1310:~$ id sdainard-admin
uid=799002462(sdainard-ad...@miovision.corp)
gid=799002462(sdainard-ad...@miovision.corp)
groups=799002462(sdainard-ad...@miovision.corp),799001380(accounting-share-acc...@miovision.corp),799001417(protected-share-acc...@miovision.corp),799000519(enterprise
adm...@miovision.corp),799001416(hr-share-acc...@miovision.corp),799000512(domain
adm...@miovision.corp),799000513(domain
us...@miovision.corp),799002464(it -
adm...@miovision.corp),799002469(kloperat...@miovision.corp),799002468(kladm...@miovision.corp),*176820(admins),176824(ad_admins)*

sdainard-ad...@miovision.corp@ubu1310:~$ sudo su
[sudo] password for sdainard-ad...@miovision.corp:
root@ubu1310:/home/miovision.corp/sdainard-admin#


Sudo rule (I had to create this, apparently its a default rule, but
didn't exist in my install on RHEL7 beta):
   Rule name: All
   Enabled: TRUE
   Host category: all
   Command category: all
   RunAs User category: all
   RunAs Group category: all
   User Groups: ad_admins


Can you tell me more information about admins and ad_admins groups and 
sdainard-admin? I would like to know how the membership is configured 
and what is their relation to AD. Dump of ipa user-show and ipa 
group-show should be enough, I think.




I saw the new dns update option (and refresh timers!), thanks.

*Steve Dainard *
IT Infrastructure Manager
Miovision  | /Rethink Traffic/

*Blog   | **LinkedIn
  | Twitter
  | Facebook
*

Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener,
ON, Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential.
If you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.


On Tue, Feb 18, 2014 at 5:27 AM, Pavel Březina mailto:pbrez...@redhat.com>> wrote:

On 02/17/2014 10:29 PM, Steve Dainard wrote:

I can't reproduce consistently on any OS including Fedora 20,
but I was
able to trigger the issue on a Ubuntu 13.10 client.

sssd: 1.11.1

sudo: 1.8.6p3-0ubuntu3

I have only just enabled the sudo logging so it should only
contain the
events below:

sdainard-ad...@miovision.corp@__ubu1310:~$ sudo su
[sudo] password for sdainard-ad...@miovision.corp:
sdainard-ad...@miovision.corp is not allowed to run sudo on ubu1310.
   This incident will be reported.
sdainard-ad...@miovision.corp@__ubu1310:~$ sudo su
[sudo] password for sdainard-ad...@miovision.corp:
root@ubu1310:/home/miovision.__corp/sdainard-admin#

Files attached outside of list.


Hi,
thank you for the logs. Can you also send me output of command "id
sdainard-admin" (also check if group membership is correct) and
definition of the sudo rule please?

Also you may want to fix the following (unrelated) warning:
Deprecation warning: The option ipa_dyndns_update is deprecated and
should not be used in favor of dyndns_update




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

2014-02-18 Thread Steve Dainard

Hi Pavel,

Very interesting, my IPA group membership in ad_admins isn't shown by that
command on first run (new login)

sdainard-ad...@miovision.corp@ubu1310:~$ id sdainard-admin
uid=799002462(sdainard-ad...@miovision.corp)
gid=799002462(sdainard-ad...@miovision.corp)
groups=799002462(sdainard-ad...@miovision.corp
),799001380(accounting-share-acc...@miovision.corp
),799001417(protected-share-acc...@miovision.corp),799000519(enterprise
adm...@miovision.corp),799001416(hr-share-acc...@miovision.corp),799000512(domain
adm...@miovision.corp),799000513(domain us...@miovision.corp),799002464(it
- adm...@miovision.corp),799002469(kloperat...@miovision.corp
),799002468(kladm...@miovision.corp)

sdainard-ad...@miovision.corp@ubu1310:~$ sudo su
[sudo] password for sdainard-ad...@miovision.corp:
sdainard-ad...@miovision.corp is not allowed to run sudo on ubu1310.  This
incident will be reported.

But after attempting the sudo command my groups do contain the IPA groups
admins,ad_admins:

sdainard-ad...@miovision.corp@ubu1310:~$ id sdainard-admin
uid=799002462(sdainard-ad...@miovision.corp)
gid=799002462(sdainard-ad...@miovision.corp)
groups=799002462(sdainard-ad...@miovision.corp
),799001380(accounting-share-acc...@miovision.corp
),799001417(protected-share-acc...@miovision.corp),799000519(enterprise
adm...@miovision.corp),799001416(hr-share-acc...@miovision.corp),799000512(domain
adm...@miovision.corp),799000513(domain us...@miovision.corp),799002464(it
- adm...@miovision.corp),799002469(kloperat...@miovision.corp
),799002468(kladm...@miovision.corp),
*176820(admins),176824(ad_admins)*

sdainard-ad...@miovision.corp@ubu1310:~$ sudo su
[sudo] password for sdainard-ad...@miovision.corp:
root@ubu1310:/home/miovision.corp/sdainard-admin#


Sudo rule (I had to create this, apparently its a default rule, but didn't
exist in my install on RHEL7 beta):
  Rule name: All
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  RunAs Group category: all
  User Groups: ad_admins

I saw the new dns update option (and refresh timers!), thanks.

*Steve Dainard *
IT Infrastructure Manager
Miovision  | *Rethink Traffic*

*Blog   |  **LinkedIn
  |  Twitter
  |  Facebook
*
--
 Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.


On Tue, Feb 18, 2014 at 5:27 AM, Pavel Březina  wrote:

> On 02/17/2014 10:29 PM, Steve Dainard wrote:
>
>> I can't reproduce consistently on any OS including Fedora 20, but I was
>> able to trigger the issue on a Ubuntu 13.10 client.
>>
>> sssd: 1.11.1
>>
>> sudo: 1.8.6p3-0ubuntu3
>>
>> I have only just enabled the sudo logging so it should only contain the
>> events below:
>>
>> sdainard-ad...@miovision.corp@ubu1310:~$ sudo su
>> [sudo] password for sdainard-ad...@miovision.corp:
>> sdainard-ad...@miovision.corp is not allowed to run sudo on ubu1310.
>>   This incident will be reported.
>> sdainard-ad...@miovision.corp@ubu1310:~$ sudo su
>> [sudo] password for sdainard-ad...@miovision.corp:
>> root@ubu1310:/home/miovision.corp/sdainard-admin#
>>
>> Files attached outside of list.
>>
>
> Hi,
> thank you for the logs. Can you also send me output of command "id
> sdainard-admin" (also check if group membership is correct) and definition
> of the sudo rule please?
>
> Also you may want to fix the following (unrelated) warning:
> Deprecation warning: The option ipa_dyndns_update is deprecated and should
> not be used in favor of dyndns_update
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

2014-02-18 Thread Pavel Březina


On 02/17/2014 10:29 PM, Steve Dainard wrote:

I can't reproduce consistently on any OS including Fedora 20, but I was
able to trigger the issue on a Ubuntu 13.10 client.

sssd: 1.11.1

sudo: 1.8.6p3-0ubuntu3

I have only just enabled the sudo logging so it should only contain the
events below:

sdainard-ad...@miovision.corp@ubu1310:~$ sudo su
[sudo] password for sdainard-ad...@miovision.corp:
sdainard-ad...@miovision.corp is not allowed to run sudo on ubu1310.
  This incident will be reported.
sdainard-ad...@miovision.corp@ubu1310:~$ sudo su
[sudo] password for sdainard-ad...@miovision.corp:
root@ubu1310:/home/miovision.corp/sdainard-admin#

Files attached outside of list.


Hi,
thank you for the logs. Can you also send me output of command "id 
sdainard-admin" (also check if group membership is correct) and 
definition of the sudo rule please?


Also you may want to fix the following (unrelated) warning:
Deprecation warning: The option ipa_dyndns_update is deprecated and 
should not be used in favor of dyndns_update


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

2014-02-17 Thread Steve Dainard

I can't reproduce consistently on any OS including Fedora 20, but I was
able to trigger the issue on a Ubuntu 13.10 client.

sssd: 1.11.1

sudo: 1.8.6p3-0ubuntu3

I have only just enabled the sudo logging so it should only contain the
events below:

sdainard-ad...@miovision.corp@ubu1310:~$ sudo su
[sudo] password for sdainard-ad...@miovision.corp:
sdainard-ad...@miovision.corp is not allowed to run sudo on ubu1310.  This
incident will be reported.
sdainard-ad...@miovision.corp@ubu1310:~$ sudo su
[sudo] password for sdainard-ad...@miovision.corp:
root@ubu1310:/home/miovision.corp/sdainard-admin#

Files attached outside of list.

Thanks,

*Steve Dainard *
IT Infrastructure Manager
Miovision  | *Rethink Traffic*

*Blog   |  **LinkedIn
  |  Twitter
  |  Facebook
*
--
 Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.


On Mon, Feb 17, 2014 at 3:46 AM, Pavel Březina  wrote:

> On 02/16/2014 01:19 AM, Steve Dainard wrote:
>
>> Just experienced the same issue on Fedora 20:
>>
>> [sdainard-ad...@miovision.corp@fed20 ~]$ sudo systemctl stop firewalld
>> [sudo] password for sdainard-ad...@miovision.corp:
>> sdainard-ad...@miovision.corp is not allowed to run sudo on fed20.  This
>> incident will be reported.
>> [sdainard-ad...@miovision.corp@fed20 ~]$ sudo systemctl stop firewalld
>> [sudo] password for sdainard-ad...@miovision.corp:
>> [sdainard-ad...@miovision.corp@fed20 ~]$
>>
>> Sat Feb 15 19:10:30 2014 is the 2nd attempt in the logs (attached).
>>
>> /var/log/messages:
>> Feb 15 19:10:31 fed20 systemd: Stopping firewalld - dynamic firewall
>> daemon...
>> Feb 15 19:10:31 fed20 systemd: Stopped firewalld - dynamic firewall
>> daemon.
>>
>>
>>
>> *Steve Dainard *
>> IT Infrastructure Manager
>> Miovision  | /Rethink Traffic/
>>
>> *Blog   | **LinkedIn
>>   | Twitter
>>   | Facebook
>> *
>> 
>>
>> Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener,
>> ON, Canada | N2C 1L3
>> This e-mail may contain information that is privileged or confidential.
>> If you are not the intended recipient, please delete the e-mail and any
>> attachments and notify us immediately.
>>
>>
>> On Fri, Feb 14, 2014 at 4:33 PM, Steve Dainard > > wrote:
>>
>> On a Ubuntu 13.10 client after configuring sssd to provide sudo
>> service I left the client idle for a few hours. On returning, I
>> unlocked the screensaver and did the following:
>>
>> sdainard-ad...@miovision.corp@ubu1310:~$ sudo su
>> [sudo] password for sdainard-ad...@miovision.corp:
>> sdainard-ad...@miovision.corp is not allowed to run sudo on ubu1310.
>>   This incident will be reported.
>> sdainard-ad...@miovision.corp@ubu1310:~$ sudo su
>> [sudo] password for sdainard-ad...@miovision.corp:
>> root@ubu1310:/home/miovision.corp/sdainard-admin#
>>
>> I haven't experienced this on a Fedora 20 or EL client so I'm
>> guessing this is something specific to Ubuntu.
>>
>> I've attached the client sssd log if anyone can point me in the
>> right direction.
>>
>> Thanks,
>>
>>
>> *Steve Dainard *
>> IT Infrastructure Manager
>> Miovision  | /Rethink Traffic/
>>
>> *Blog   | **LinkedIn
>>   | Twitter
>>   | Facebook
>> *
>> 
>> 
>>
>> Miovision Technologies Inc. | 148 Manitou Drive, Suite 101,
>> Kitchener, ON, Canada | N2C 1L3
>> This e-mail may contain information that is privileged or
>> confidential. If you are not the intended recipient, please delete
>> the e-mail and any attachments and notify us immediately.
>>
>
> Hi,
> provided logs did not reveal anything bad. Can you also attach
> sssd_sudo.log, sssd_nss.log and sssd.conf please? Also what sssd and sudo
> version do you run?
>
> Is this always reproducible or it happens only sporadically?
>
> Thanks.
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

2014-02-17 Thread Pavel Březina


On 02/16/2014 01:19 AM, Steve Dainard wrote:

Just experienced the same issue on Fedora 20:

[sdainard-ad...@miovision.corp@fed20 ~]$ sudo systemctl stop firewalld
[sudo] password for sdainard-ad...@miovision.corp:
sdainard-ad...@miovision.corp is not allowed to run sudo on fed20.  This
incident will be reported.
[sdainard-ad...@miovision.corp@fed20 ~]$ sudo systemctl stop firewalld
[sudo] password for sdainard-ad...@miovision.corp:
[sdainard-ad...@miovision.corp@fed20 ~]$

Sat Feb 15 19:10:30 2014 is the 2nd attempt in the logs (attached).

/var/log/messages:
Feb 15 19:10:31 fed20 systemd: Stopping firewalld - dynamic firewall
daemon...
Feb 15 19:10:31 fed20 systemd: Stopped firewalld - dynamic firewall daemon.



*Steve Dainard *
IT Infrastructure Manager
Miovision  | /Rethink Traffic/

*Blog   | **LinkedIn
  | Twitter
  | Facebook
*

Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener,
ON, Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential.
If you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.


On Fri, Feb 14, 2014 at 4:33 PM, Steve Dainard mailto:sdain...@miovision.com>> wrote:

On a Ubuntu 13.10 client after configuring sssd to provide sudo
service I left the client idle for a few hours. On returning, I
unlocked the screensaver and did the following:

sdainard-ad...@miovision.corp@ubu1310:~$ sudo su
[sudo] password for sdainard-ad...@miovision.corp:
sdainard-ad...@miovision.corp is not allowed to run sudo on ubu1310.
  This incident will be reported.
sdainard-ad...@miovision.corp@ubu1310:~$ sudo su
[sudo] password for sdainard-ad...@miovision.corp:
root@ubu1310:/home/miovision.corp/sdainard-admin#

I haven't experienced this on a Fedora 20 or EL client so I'm
guessing this is something specific to Ubuntu.

I've attached the client sssd log if anyone can point me in the
right direction.

Thanks,


*Steve Dainard *
IT Infrastructure Manager
Miovision  | /Rethink Traffic/

*Blog   | **LinkedIn
  | Twitter
  | Facebook
*

Miovision Technologies Inc. | 148 Manitou Drive, Suite 101,
Kitchener, ON, Canada | N2C 1L3
This e-mail may contain information that is privileged or
confidential. If you are not the intended recipient, please delete
the e-mail and any attachments and notify us immediately.


Hi,
provided logs did not reveal anything bad. Can you also attach 
sssd_sudo.log, sssd_nss.log and sssd.conf please? Also what sssd and 
sudo version do you run?


Is this always reproducible or it happens only sporadically?

Thanks.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

12 matches

Site Navigation

Mail list logo

Footer information