[Samba] howto install sudo schema
Rowland Penny
rowlandpenny at googlemail.com
Thu Aug 14 11:23:01 MDT 2014
On 14/08/14 18:07, shadrock uhuru wrote:
> Hi
> just this last issue and i'm set to go,
>
>> I use sssd to get the sudo rules from AD and do not index the sudoUser
>> attribute, in fact, thinking about it, I don't index anything ;-)
>>
>> What I had to do was alter the 'nTSecurityDescriptor' attribute on
>> 'CN=SUDOers', to allow Domain Computers to access the rules
>>
>> Rowland
> not sure what you mean are your referring to this file
>
> $ cat sudo_user
>
> dn: cn=%wheel,ou=SUDOers, DC=tissisat,DC=co,DC=uk
> objectClass: top
> objectClass: sudoRole
> cn: %wheel
> sudoUser: %wheel
> sudoHost: ALL
> sudoCommand: ALL
>
> specifically to change cn=%wheel and sudoUser: %wheel
>
> dn: cn=%Domain Computers,ou=SUDOers, DC=tissisat,DC=co,DC=uk
> objectClass: top
> objectClass: sudoRole
> cn: %Domain Computers
> sudoUser: %Domain Computers
> sudoHost: ALL
> sudoCommand: ALL
>
> or to change sudoHost: ALL
>
> dn: cn=%wheel,ou=SUDOers, DC=tissisat,DC=co,DC=uk
> objectClass: top
> objectClass: sudoRole
> cn: %wheel
> sudoUser: %wheel
> sudoHost: +Domain Computers
> sudoCommand: ALL
>
> if both are completely wrong could you name and show me
> your file that you modified for Domain Computers.
>
> thanks
> Shadrock
>
OOPS ;-) a bit of a slip between brain and fingers there LOL
I of course meant 'OU=SUDOers' , the 'OU' where the sudo rules area
stored, with sssd I did not get any of the rules until I modded the
'nTSecurityDescriptor' attribute.
As for '+Domain Computers' , I am not sure, I think this should 'ALL'
after all, only domain computers will be able to obtain the sudo rules.
Rowland
More information about the samba
mailing list