[Samba] Adding an AD group to /etc/sudoers?

Jeff Sadowski jeff.sadowski at gmail.com
Tue Dec 8 21:56:39 UTC 2015


wbinfo -r username
shows the gid of it
and a bunch of -1's id guess for groups without gid's
my user belongs to 155 groups is there a problem with that many groups?

On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski <jeff.sadowski at gmail.com>
wrote:

> "id" alone does not show my user in the it group
> "id username" does
> why would id alone give different results?
>
> which is odd because
> as my username I can get into a folder that has 0760 permissions with user
> as root and it as the group
>
> as for
> %it ALL=(ALL) ALL
> instead of:
> %it ALL=(ALL:ALL) ALL
>
> seems to work the same
>
>
>
> On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy <
> mattiasz at thinklogical.com> wrote:
>
>> Jeff,
>>
>> After the ssh did you run "id" command to verify that your account
>> belongs to the "it" group on the remote system?
>>
>> Did you try:
>> %it ALL=(ALL) ALL
>> instead of:
>> %it ALL=(ALL:ALL) ALL
>>
>> Regards,
>> Matt
>>
>> ________________________________________
>> From: samba <samba-bounces at lists.samba.org> on behalf of Jeff Sadowski <
>> jeff.sadowski at gmail.com>
>> Sent: Monday, December 7, 2015 2:56 PM
>> To: samba
>> Subject: [Samba] Adding an AD group to /etc/sudoers?
>>
>> I can't seem to get this working and here is what I have done so far.
>> I am using samba 4.1.6
>>
>> my /etc/samba/smb.conf looks like so
>>
>>    security = ads
>>    realm = DOMAIN.LONG
>>    workgroup = DOMAIN
>>    idmap config * : backend = tdb
>>    idmap config * : range = 2000-7999
>>    idmap config DOMAIN:backend = ad
>>    idmap config DOMAIN:range = 8000-9999999
>>    idmap config DOMAIN:schema_mode = rfc2307
>>    winbind nss info = rfc2307
>>    winbind use default domain = yes
>>    winbind nested groups=yes
>>    # so that the users show up in getent
>>    winbind enum users = Yes
>>    # doesn't seem to do the same for groups :-/
>>    winbind enum groups = Yes
>>    restrict anonymous = 2
>>
>> In AD my group it has a gid 8001
>>
>> #getent group it
>> it:x:8001:myusername,others
>>
>>
>> in /etc/sudoers is the line
>> %it ALL=(ALL:ALL) ALL
>>
>> when I ssh to said machine like so
>>
>> ssh myusername at problemhost
>>
>> then run a command like so
>>
>> > sudo echo
>> [sudo] password for myusername:
>> myusername is not in the sudoers file.  This incident will be reported.
>>
>> I tried adding another line to /etc/sudoers as follows
>> %DOMAIN\\it ALL=(ALL:ALL) ALL
>>
>> and
>>
>> %DOMAIN\it ALL=(ALL:ALL) ALL
>>
>> but neither of them work either.
>>
>> I seem to be able to get into the nfs shares I have group permissions to
>> but I can not get sudo to work with my AD user group.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>


More information about the samba mailing list