[Samba] Adding an AD group to /etc/sudoers?

Jeff Sadowski jeff.sadowski at gmail.com
Wed Dec 9 15:08:07 UTC 2015


# cat /proc/sys/kernel/ngroups_max
65536
# sysctl kernel.ngroups_max
kernel.ngroups_max = 65536

Is there a way to change/look at AUTH_SYS?
Seems I have 28 groups now as my user
I tried created a test user with much less groups
but it turns out it is on all those other groups.
As such I tried

winbind nested groups=no

but this doesn't seem to change anything.



On Tue, Dec 8, 2015 at 5:05 PM, Mattias Zhabinskiy <
mattiasz at thinklogical.com> wrote:

> Jeff,
>
>
> To find out maximum number of groups allowed per user run:
>
> cat /proc/sys/kernel/ngroups_max
> or
> sysctl kernel.ngroups_max
> but AFAIK AUTH_SYS has a limit of 16, so I would try to either create a
> test account, add it to the "it" group and test it with sudo, or trim your
> account membership to 16 or less groups.
>
> Regards,
>
> Matt
>
> ------------------------------
> *From:* Jeff Sadowski <jeff.sadowski at gmail.com>
> *Sent:* Tuesday, December 8, 2015 4:59 PM
> *To:* Mattias Zhabinskiy; samba
> *Subject:* Re: [Samba] Adding an AD group to /etc/sudoers?
>
> # id username|sed "s/,/\n/g"|wc -l
> 155
>
> # id|sed "s/,/\n/g"|wc -l
> 28
>
>
> On Tue, Dec 8, 2015 at 2:56 PM, Jeff Sadowski <jeff.sadowski at gmail.com>
> wrote:
>
>> wbinfo -r username
>> shows the gid of it
>> and a bunch of -1's id guess for groups without gid's
>> my user belongs to 155 groups is there a problem with that many groups?
>>
>> On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski <jeff.sadowski at gmail.com>
>> wrote:
>>
>>> "id" alone does not show my user in the it group
>>> "id username" does
>>> why would id alone give different results?
>>>
>>> which is odd because
>>> as my username I can get into a folder that has 0760 permissions with
>>> user as root and it as the group
>>>
>>> as for
>>> %it ALL=(ALL) ALL
>>> instead of:
>>> %it ALL=(ALL:ALL) ALL
>>>
>>> seems to work the same
>>>
>>>
>>>
>>> On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy <
>>> mattiasz at thinklogical.com> wrote:
>>>
>>>> Jeff,
>>>>
>>>> After the ssh did you run "id" command to verify that your account
>>>> belongs to the "it" group on the remote system?
>>>>
>>>> Did you try:
>>>> %it ALL=(ALL) ALL
>>>> instead of:
>>>> %it ALL=(ALL:ALL) ALL
>>>>
>>>> Regards,
>>>> Matt
>>>>
>>>> ________________________________________
>>>> From: samba <samba-bounces at lists.samba.org> on behalf of Jeff Sadowski
>>>> <jeff.sadowski at gmail.com>
>>>> Sent: Monday, December 7, 2015 2:56 PM
>>>> To: samba
>>>> Subject: [Samba] Adding an AD group to /etc/sudoers?
>>>>
>>>> I can't seem to get this working and here is what I have done so far.
>>>> I am using samba 4.1.6
>>>>
>>>> my /etc/samba/smb.conf looks like so
>>>>
>>>>    security = ads
>>>>    realm = DOMAIN.LONG
>>>>    workgroup = DOMAIN
>>>>    idmap config * : backend = tdb
>>>>    idmap config * : range = 2000-7999
>>>>    idmap config DOMAIN:backend = ad
>>>>    idmap config DOMAIN:range = 8000-9999999
>>>>    idmap config DOMAIN:schema_mode = rfc2307
>>>>    winbind nss info = rfc2307
>>>>    winbind use default domain = yes
>>>>    winbind nested groups=yes
>>>>    # so that the users show up in getent
>>>>    winbind enum users = Yes
>>>>    # doesn't seem to do the same for groups :-/
>>>>    winbind enum groups = Yes
>>>>    restrict anonymous = 2
>>>>
>>>> In AD my group it has a gid 8001
>>>>
>>>> #getent group it
>>>> it:x:8001:myusername,others
>>>>
>>>>
>>>> in /etc/sudoers is the line
>>>> %it ALL=(ALL:ALL) ALL
>>>>
>>>> when I ssh to said machine like so
>>>>
>>>> ssh myusername at problemhost
>>>>
>>>> then run a command like so
>>>>
>>>> > sudo echo
>>>> [sudo] password for myusername:
>>>> myusername is not in the sudoers file.  This incident will be reported.
>>>>
>>>> I tried adding another line to /etc/sudoers as follows
>>>> %DOMAIN\\it ALL=(ALL:ALL) ALL
>>>>
>>>> and
>>>>
>>>> %DOMAIN\it ALL=(ALL:ALL) ALL
>>>>
>>>> but neither of them work either.
>>>>
>>>> I seem to be able to get into the nfs shares I have group permissions to
>>>> but I can not get sudo to work with my AD user group.
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>
>


More information about the samba mailing list