On 02/18/2014 10:32 PM, Steve Dainard wrote:
Hi Pavel,
Very interesting, my IPA group membership in ad_admins isn't shown by
that command on first run (new login)
[email protected]@ubu1310:~$ id sdainard-admin
uid=799002462([email protected])
gid=799002462([email protected])
groups=799002462([email protected]),799001380([email protected]),799001417([email protected]),799000519(enterprise
[email protected]),799001416([email protected]),799000512(domain
[email protected]),799000513(domain
[email protected]),799002464(it -
[email protected]),799002469([email protected]),799002468([email protected])
[email protected]@ubu1310:~$ sudo su
[sudo] password for [email protected]:
[email protected] is not allowed to run sudo on ubu1310.
This incident will be reported.
But after attempting the sudo command my groups do contain the IPA
groups admins,ad_admins:
[email protected]@ubu1310:~$ id sdainard-admin
uid=799002462([email protected])
gid=799002462([email protected])
groups=799002462([email protected]),799001380([email protected]),799001417([email protected]),799000519(enterprise
[email protected]),799001416([email protected]),799000512(domain
[email protected]),799000513(domain
[email protected]),799002464(it -
[email protected]),799002469([email protected]),799002468([email protected]),*1768200000(admins),1768200004(ad_admins)*
[email protected]@ubu1310:~$ sudo su
[sudo] password for [email protected]:
root@ubu1310:/home/miovision.corp/sdainard-admin#
Sudo rule (I had to create this, apparently its a default rule, but
didn't exist in my install on RHEL7 beta):
Rule name: All
Enabled: TRUE
Host category: all
Command category: all
RunAs User category: all
RunAs Group category: all
User Groups: ad_admins
Can you tell me more information about admins and ad_admins groups and
sdainard-admin? I would like to know how the membership is configured
and what is their relation to AD. Dump of ipa user-show and ipa
group-show should be enough, I think.
I saw the new dns update option (and refresh timers!), thanks.
*Steve Dainard *
IT Infrastructure Manager
Miovision <http://miovision.com/> | /Rethink Traffic/
*Blog <http://miovision.com/blog> | **LinkedIn
<https://www.linkedin.com/company/miovision-technologies> | Twitter
<https://twitter.com/miovision> | Facebook
<https://www.facebook.com/miovision>*
------------------------------------------------------------------------
Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener,
ON, Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential.
If you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.
On Tue, Feb 18, 2014 at 5:27 AM, Pavel Březina <[email protected]
<mailto:[email protected]>> wrote:
On 02/17/2014 10:29 PM, Steve Dainard wrote:
I can't reproduce consistently on any OS including Fedora 20,
but I was
able to trigger the issue on a Ubuntu 13.10 client.
sssd: 1.11.1
sudo: 1.8.6p3-0ubuntu3
I have only just enabled the sudo logging so it should only
contain the
events below:
[email protected]@__ubu1310:~$ sudo su
[sudo] password for [email protected]:
[email protected] is not allowed to run sudo on ubu1310.
This incident will be reported.
[email protected]@__ubu1310:~$ sudo su
[sudo] password for [email protected]:
root@ubu1310:/home/miovision.__corp/sdainard-admin#
Files attached outside of list.
Hi,
thank you for the logs. Can you also send me output of command "id
sdainard-admin" (also check if group membership is correct) and
definition of the sudo rule please?
Also you may want to fix the following (unrelated) warning:
Deprecation warning: The option ipa_dyndns_update is deprecated and
should not be used in favor of dyndns_update
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
