[Samba] Adding an AD group to /etc/sudoers?

Jeff Sadowski jeff.sadowski at gmail.com
Tue Dec 8 21:12:15 UTC 2015 

"id" alone does not show my user in the it group
"id username" does
why would id alone give different results?

which is odd because
as my username I can get into a folder that has 0760 permissions with user
as root and it as the group

as for
%it ALL=(ALL) ALL
instead of:
%it ALL=(ALL:ALL) ALL

seems to work the same



On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy <
mattiasz at thinklogical.com> wrote:

> Jeff,
>
> After the ssh did you run "id" command to verify that your account belongs
> to the "it" group on the remote system?
>
> Did you try:
> %it ALL=(ALL) ALL
> instead of:
> %it ALL=(ALL:ALL) ALL
>
> Regards,
> Matt
>
> ________________________________________
> From: samba <samba-bounces at lists.samba.org> on behalf of Jeff Sadowski <
> jeff.sadowski at gmail.com>
> Sent: Monday, December 7, 2015 2:56 PM
> To: samba
> Subject: [Samba] Adding an AD group to /etc/sudoers?
>
> I can't seem to get this working and here is what I have done so far.
> I am using samba 4.1.6
>
> my /etc/samba/smb.conf looks like so
>
>    security = ads
>    realm = DOMAIN.LONG
>    workgroup = DOMAIN
>    idmap config * : backend = tdb
>    idmap config * : range = 2000-7999
>    idmap config DOMAIN:backend = ad
>    idmap config DOMAIN:range = 8000-9999999
>    idmap config DOMAIN:schema_mode = rfc2307
>    winbind nss info = rfc2307
>    winbind use default domain = yes
>    winbind nested groups=yes
>    # so that the users show up in getent
>    winbind enum users = Yes
>    # doesn't seem to do the same for groups :-/
>    winbind enum groups = Yes
>    restrict anonymous = 2
>
> In AD my group it has a gid 8001
>
> #getent group it
> it:x:8001:myusername,others
>
>
> in /etc/sudoers is the line
> %it ALL=(ALL:ALL) ALL
>
> when I ssh to said machine like so
>
> ssh myusername at problemhost
>
> then run a command like so
>
> > sudo echo
> [sudo] password for myusername:
> myusername is not in the sudoers file.  This incident will be reported.
>
> I tried adding another line to /etc/sudoers as follows
> %DOMAIN\\it ALL=(ALL:ALL) ALL
>
> and
>
> %DOMAIN\it ALL=(ALL:ALL) ALL
>
> but neither of them work either.
>
> I seem to be able to get into the nfs shares I have group permissions to
> but I can not get sudo to work with my AD user group.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list