Hi Jakub, id info from earlier response: > Very interesting, my IPA group membership in ad_admins isn't > shown by > that command on first run (new login) > > [email protected]@__ubu1310:~$ id sdainard-admin > uid=799002462(sdainard-admin@__miovision.corp) > gid=799002462(sdainard-admin@__miovision.corp) > groups=799002462([email protected]),__ 799001380([email protected]),__ 799001417([email protected]),__799000519(enterprise > [email protected]),__799001416(hr-share-access@__ miovision.corp),799000512(__domain > [email protected]),__799000513(domain > [email protected]),__799002464(it - > [email protected]),__799002469(kloperators@__ miovision.corp),799002468([email protected]) > > [email protected]@__ubu1310:~$ sudo su > [sudo] password for [email protected]: > [email protected] is not allowed to run sudo on ubu1310. > This incident will be reported. > > But after attempting the sudo command my groups do contain the IPA > groups admins,ad_admins: > > [email protected]@__ubu1310:~$ id sdainard-admin > uid=799002462(sdainard-admin@__miovision.corp) > gid=799002462(sdainard-admin@__miovision.corp) > groups=799002462([email protected]),__ 799001380([email protected]),__ 799001417([email protected]),__799000519(enterprise > [email protected]),__799001416(hr-share-access@__ miovision.corp),799000512(__domain > [email protected]),__799000513(domain > [email protected]),__799002464(it - > [email protected]),__799002469(kloperators@__ miovision.corp),799002468([email protected]),*__ 1768200000(admins),1768200004(__ad_admins)* >
*Steve Dainard * IT Infrastructure Manager Miovision <http://miovision.com/> | *Rethink Traffic* *Blog <http://miovision.com/blog> | **LinkedIn <https://www.linkedin.com/company/miovision-technologies> | Twitter <https://twitter.com/miovision> | Facebook <https://www.facebook.com/miovision>* ------------------------------ Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. On Mon, Feb 24, 2014 at 10:55 AM, Jakub Hrozek <[email protected]> wrote: > On Mon, Feb 24, 2014 at 10:46:19AM -0500, Pavel Brezina wrote: > > Hi, > > I wasn't able to reproduce with membership setup exactly like this. I > > have already seen similar problem once, unfortunately the user stopped > > responding before we could reach the root cause. I think it is correct > > from the sudo point of view, what is problematic here is missing group > > membership. > > > > It seems that membership of trusted user is not resolved correctly. > > Sumit, Jakub, do you have any ideas? > > Did you verify if "id" prints the expected groups for the user in question > after he logs in? I think we need to first verify if the memberships are > stored correctly to the cache.. >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
