Ah. That's not good...
Thanks for the help, Rowland.
On Fri, Apr 25, 2014 at 8:08 AM, Rowland Penny <repenny241155(a)gmail.com>wrote:
On 24/04/14 23:11, Chris Hayes wrote:
Can someone please disambiguate the situation as I'm really unsure what
the problem is after hearing back from some of you guys.
On Wed, Apr 23, 2014 at 1:57 PM, Chris Hayes <berzerkatives(a)gmail.com>wrote:
> On Wed, Apr 23, 2014 at 1:26 PM, Jakub Hrozek <jhrozek(a)redhat.com>wrote:
>
>> On Wed, Apr 23, 2014 at 10:50:06AM +0100, Chris Hayes wrote:
>> > On Wed, Apr 23, 2014 at 10:01 AM, Jakub Hrozek <jhrozek(a)redhat.com>
>> wrote:
>> >
>> > > On Tue, Apr 22, 2014 at 10:52:23PM +0100, Chris Hayes wrote:
>> > > > I have SSSD (1.8.4) working fine on Debian Wheezy system, with an
>> LDAP
>> > > > backend for users and groups. However, I'm having a problem
with
>> sudo.
>> > > >
>> > > > My sudoers configuration file has the line following line in it:
>> > > >
>> > > > %sudo ALL=(ALL:ALL) ALL
>> > > >
>> > > > And my LDAP (via SSSD) user is in that "sudo" group (its
UID is in
>> the
>> > > > /etc/group file for group sudo, and getent shows this fine).
>> > > >
>> > > > sudo:x:27:9009
>> > > >
>> > > > However, when I run a sudo command, I receive the following
error:
>> > > >
>> > > > chris is not in the sudoers file. This incident will be reported.
>> > > >
>> > > > Can someone help me to understand why this might be happening?
>> > > >
>> > > > Chris
>> > >
>> > > If you run 'id user' do you see him as a member of the sudo
group?
>> > >
>> >
>> > uid=9009(chris) gid=9001(chris) groups=9001(chris)
>> >
>> > OK, I see that it's not picking up that sudo group.
>> >
>> > IIRC the functionality for an LDAP user to be a member of a UNIX group
>> > > was added sometimes in 1.9..
>> > >
>> >
>> > I have an LDAP group though, and this also doesn't show in the id
>> output.
>> > Is this also an issue with the pre-1.9 releases?
>> >
>> > admins:*:9000:9009
>>
>> Ah, sorry I guess I was confused when you said earlier you had a group
>> in /etc/groups..so the group sudo relies on is in LDAP or files?
>>
>> In general, I would recommend to upgrade to 1.9.x if possible, but such
>> basic functionality like list of groups the user is a member of worked
>> in 1.8 as well. Are you sure you're using the correct schema? Does the
>> 'id' output for other users look OK?
>>
>> Check out some tips at:
>>
https://fedorahosted.org/sssd/wiki/FAQ
>> _______________________________________________
>> sssd-users mailing list
>> sssd-users(a)lists.fedorahosted.org
>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>>
>
> Just to be clear, my confusion is exasperated by seeing exactly what
> I'd expect using getent. Here are the getent lookups.
>
> # My LDAP user (via SSSD).
> chris:*:9009:9001:Chris:/home/chris:/bin/bash
>
> # The local group (/etc/group).
> sudo:x:27:9009
>
> # The LDAP group (via SSSD).
> admins:*:9000:9009
>
> The getent works fine suggests to me that my schema is fine. Upgrading
> isn't really an option as I maintain dozens of machines running Debian
> Wheezy.
>
> While sudo maintains that "chris" isn't present in either of these
> groups.
>
> So is this because my sudo doesn't support SSSD?
>
> Kind regards,
> Chris
>
_______________________________________________
sssd-users mailing
listsssd-users@lists.fedorahosted.orghttps://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi, I did a bit of research, took me all of 30 seconds to prove what I
said was true, your version of sudo does not support sssd, see here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724763
Rowland
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users