[Samba] Adding an AD group to /etc/sudoers?

Jeff Sadowski jeff.sadowski at gmail.com
Tue Dec 8 21:59:12 UTC 2015


# id username|sed "s/,/\n/g"|wc -l
155

# id|sed "s/,/\n/g"|wc -l
28


On Tue, Dec 8, 2015 at 2:56 PM, Jeff Sadowski <jeff.sadowski at gmail.com>
wrote:

> wbinfo -r username
> shows the gid of it
> and a bunch of -1's id guess for groups without gid's
> my user belongs to 155 groups is there a problem with that many groups?
>
> On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski <jeff.sadowski at gmail.com>
> wrote:
>
>> "id" alone does not show my user in the it group
>> "id username" does
>> why would id alone give different results?
>>
>> which is odd because
>> as my username I can get into a folder that has 0760 permissions with
>> user as root and it as the group
>>
>> as for
>> %it ALL=(ALL) ALL
>> instead of:
>> %it ALL=(ALL:ALL) ALL
>>
>> seems to work the same
>>
>>
>>
>> On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy <
>> mattiasz at thinklogical.com> wrote:
>>
>>> Jeff,
>>>
>>> After the ssh did you run "id" command to verify that your account
>>> belongs to the "it" group on the remote system?
>>>
>>> Did you try:
>>> %it ALL=(ALL) ALL
>>> instead of:
>>> %it ALL=(ALL:ALL) ALL
>>>
>>> Regards,
>>> Matt
>>>
>>> ________________________________________
>>> From: samba <samba-bounces at lists.samba.org> on behalf of Jeff Sadowski <
>>> jeff.sadowski at gmail.com>
>>> Sent: Monday, December 7, 2015 2:56 PM
>>> To: samba
>>> Subject: [Samba] Adding an AD group to /etc/sudoers?
>>>
>>> I can't seem to get this working and here is what I have done so far.
>>> I am using samba 4.1.6
>>>
>>> my /etc/samba/smb.conf looks like so
>>>
>>>    security = ads
>>>    realm = DOMAIN.LONG
>>>    workgroup = DOMAIN
>>>    idmap config * : backend = tdb
>>>    idmap config * : range = 2000-7999
>>>    idmap config DOMAIN:backend = ad
>>>    idmap config DOMAIN:range = 8000-9999999
>>>    idmap config DOMAIN:schema_mode = rfc2307
>>>    winbind nss info = rfc2307
>>>    winbind use default domain = yes
>>>    winbind nested groups=yes
>>>    # so that the users show up in getent
>>>    winbind enum users = Yes
>>>    # doesn't seem to do the same for groups :-/
>>>    winbind enum groups = Yes
>>>    restrict anonymous = 2
>>>
>>> In AD my group it has a gid 8001
>>>
>>> #getent group it
>>> it:x:8001:myusername,others
>>>
>>>
>>> in /etc/sudoers is the line
>>> %it ALL=(ALL:ALL) ALL
>>>
>>> when I ssh to said machine like so
>>>
>>> ssh myusername at problemhost
>>>
>>> then run a command like so
>>>
>>> > sudo echo
>>> [sudo] password for myusername:
>>> myusername is not in the sudoers file.  This incident will be reported.
>>>
>>> I tried adding another line to /etc/sudoers as follows
>>> %DOMAIN\\it ALL=(ALL:ALL) ALL
>>>
>>> and
>>>
>>> %DOMAIN\it ALL=(ALL:ALL) ALL
>>>
>>> but neither of them work either.
>>>
>>> I seem to be able to get into the nfs shares I have group permissions to
>>> but I can not get sudo to work with my AD user group.
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>>
>


More information about the samba mailing list