Hi Pavel, sdainard-admin is a Windows domain user, part of an external group 'ad_admins_external' which is a member of 'ad_admins', an ipa posix group.
'admins' groups is the built-in ipa admin group. ipa group-show admins Group name: admins Description: Account administrators group GID: 1768200000 Member users: admin Member groups: ad_admins Member of Sudo rule: ad_admins Indirect Member groups: ad_admins_external ipa group-show ad_admins Group name: ad_admins Description: miovision.corp admins GID: 1768200004 Member users: admin Member groups: ad_admins_external Member of groups: admins Member of Sudo rule: ad_admins, All Thanks, *Steve Dainard * IT Infrastructure Manager Miovision <http://miovision.com/> | *Rethink Traffic* *Blog <http://miovision.com/blog> | **LinkedIn <https://www.linkedin.com/company/miovision-technologies> | Twitter <https://twitter.com/miovision> | Facebook <https://www.facebook.com/miovision>* ------------------------------ Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. On Wed, Feb 19, 2014 at 8:48 AM, Pavel Březina <pbrez...@redhat.com> wrote: > On 02/18/2014 10:32 PM, Steve Dainard wrote: > >> Hi Pavel, >> >> Very interesting, my IPA group membership in ad_admins isn't shown by >> that command on first run (new login) >> >> sdainard-ad...@miovision.corp@ubu1310:~$ id sdainard-admin >> uid=799002462(sdainard-ad...@miovision.corp) >> gid=799002462(sdainard-ad...@miovision.corp) >> groups=799002462(sdainard-ad...@miovision.corp), >> 799001380(accounting-share-acc...@miovision.corp), >> 799001417(protected-share-acc...@miovision.corp),799000519(enterprise >> adm...@miovision.corp),799001416(hr-share-access@ >> miovision.corp),799000512(domain >> adm...@miovision.corp),799000513(domain >> us...@miovision.corp),799002464(it - >> adm...@miovision.corp),799002469(kloperat...@miovision.corp),799002468( >> kladm...@miovision.corp) >> >> sdainard-ad...@miovision.corp@ubu1310:~$ sudo su >> [sudo] password for sdainard-ad...@miovision.corp: >> sdainard-ad...@miovision.corp is not allowed to run sudo on ubu1310. >> This incident will be reported. >> >> But after attempting the sudo command my groups do contain the IPA >> groups admins,ad_admins: >> >> sdainard-ad...@miovision.corp@ubu1310:~$ id sdainard-admin >> uid=799002462(sdainard-ad...@miovision.corp) >> gid=799002462(sdainard-ad...@miovision.corp) >> groups=799002462(sdainard-ad...@miovision.corp), >> 799001380(accounting-share-acc...@miovision.corp), >> 799001417(protected-share-acc...@miovision.corp),799000519(enterprise >> adm...@miovision.corp),799001416(hr-share-access@ >> miovision.corp),799000512(domain >> adm...@miovision.corp),799000513(domain >> us...@miovision.corp),799002464(it - >> adm...@miovision.corp),799002469(kloperat...@miovision.corp),799002468( >> kladm...@miovision.corp),*1768200000(admins),1768200004(ad_admins)* >> >> >> sdainard-ad...@miovision.corp@ubu1310:~$ sudo su >> [sudo] password for sdainard-ad...@miovision.corp: >> root@ubu1310:/home/miovision.corp/sdainard-admin# >> >> >> Sudo rule (I had to create this, apparently its a default rule, but >> didn't exist in my install on RHEL7 beta): >> Rule name: All >> Enabled: TRUE >> Host category: all >> Command category: all >> RunAs User category: all >> RunAs Group category: all >> User Groups: ad_admins >> > > Can you tell me more information about admins and ad_admins groups and > sdainard-admin? I would like to know how the membership is configured and > what is their relation to AD. Dump of ipa user-show and ipa group-show > should be enough, I think. > > >> I saw the new dns update option (and refresh timers!), thanks. >> >> *Steve Dainard * >> IT Infrastructure Manager >> Miovision <http://miovision.com/> | /Rethink Traffic/ >> >> *Blog <http://miovision.com/blog> | **LinkedIn >> <https://www.linkedin.com/company/miovision-technologies> | Twitter >> <https://twitter.com/miovision> | Facebook >> <https://www.facebook.com/miovision>* >> ------------------------------------------------------------------------ >> Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, >> ON, Canada | N2C 1L3 >> This e-mail may contain information that is privileged or confidential. >> If you are not the intended recipient, please delete the e-mail and any >> attachments and notify us immediately. >> >> >> On Tue, Feb 18, 2014 at 5:27 AM, Pavel Březina <pbrez...@redhat.com >> <mailto:pbrez...@redhat.com>> wrote: >> >> On 02/17/2014 10:29 PM, Steve Dainard wrote: >> >> I can't reproduce consistently on any OS including Fedora 20, >> but I was >> able to trigger the issue on a Ubuntu 13.10 client. >> >> sssd: 1.11.1 >> >> sudo: 1.8.6p3-0ubuntu3 >> >> I have only just enabled the sudo logging so it should only >> contain the >> events below: >> >> sdainard-ad...@miovision.corp@__ubu1310:~$ sudo su >> >> [sudo] password for sdainard-ad...@miovision.corp: >> sdainard-ad...@miovision.corp is not allowed to run sudo on >> ubu1310. >> This incident will be reported. >> sdainard-ad...@miovision.corp@__ubu1310:~$ sudo su >> [sudo] password for sdainard-ad...@miovision.corp: >> root@ubu1310:/home/miovision.__corp/sdainard-admin# >> >> >> Files attached outside of list. >> >> >> Hi, >> thank you for the logs. Can you also send me output of command "id >> sdainard-admin" (also check if group membership is correct) and >> definition of the sudo rule please? >> >> Also you may want to fix the following (unrelated) warning: >> Deprecation warning: The option ipa_dyndns_update is deprecated and >> should not be used in favor of dyndns_update >> >> >> >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users