Mattias Zhabinskiy mattiasz at thinklogical.com
Wed Dec 9 15:20:22 UTC 2015

Jeff,

After ssh try to run:

newgrp it

and then sudo. See if it will work, then you'll have to figure out what's going on with the users groups membership.

Regards,

Matt

________________________________
Sent: Wednesday, December 9, 2015 10:08 AM
To: Mattias Zhabinskiy; samba

# cat /proc/sys/kernel/ngroups_max
65536
# sysctl kernel.ngroups_max
kernel.ngroups_max = 65536

Is there a way to change/look at AUTH_SYS?
Seems I have 28 groups now as my user
I tried created a test user with much less groups
but it turns out it is on all those other groups.
As such I tried

winbind nested groups=no

but this doesn't seem to change anything.

On Tue, Dec 8, 2015 at 5:05 PM, Mattias Zhabinskiy <mattiasz at thinklogical.com<mailto:mattiasz at thinklogical.com>> wrote:

Jeff,

To find out maximum number of groups allowed per user run:

cat /proc/sys/kernel/ngroups_max
or
sysctl kernel.ngroups_max
but AFAIK AUTH_SYS has a limit of 16, so I would try to either create a test account, add it to the "it" group and test it with sudo, or trim your account membership to 16 or less groups.

Regards,

Matt

________________________________
Sent: Tuesday, December 8, 2015 4:59 PM
To: Mattias Zhabinskiy; samba

155

# id|sed "s/,/\n/g"|wc -l
28

shows the gid of it
and a bunch of -1's id guess for groups without gid's
my user belongs to 155 groups is there a problem with that many groups?

"id" alone does not show my user in the it group
why would id alone give different results?

which is odd because
as my username I can get into a folder that has 0760 permissions with user as root and it as the group

as for
%it ALL=(ALL) ALL
%it ALL=(ALL:ALL) ALL

seems to work the same

On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy <mattiasz at thinklogical.com<mailto:mattiasz at thinklogical.com>> wrote:
Jeff,

After the ssh did you run "id" command to verify that your account belongs to the "it" group on the remote system?

Did you try:
%it ALL=(ALL) ALL
%it ALL=(ALL:ALL) ALL

Regards,
Matt

________________________________________
From: samba <samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org>> on behalf of Jeff Sadowski <jeff.sadowski at gmail.com<mailto:jeff.sadowski at gmail.com>>
Sent: Monday, December 7, 2015 2:56 PM
To: samba

I can't seem to get this working and here is what I have done so far.
I am using samba 4.1.6

my /etc/samba/smb.conf looks like so

realm = DOMAIN.LONG
workgroup = DOMAIN
idmap config * : backend = tdb
idmap config * : range = 2000-7999
idmap config DOMAIN:range = 8000-9999999
idmap config DOMAIN:schema_mode = rfc2307
winbind nss info = rfc2307
winbind use default domain = yes
winbind nested groups=yes
# so that the users show up in getent
winbind enum users = Yes
# doesn't seem to do the same for groups :-/
winbind enum groups = Yes
restrict anonymous = 2

In AD my group it has a gid 8001

#getent group it

in /etc/sudoers is the line
%it ALL=(ALL:ALL) ALL

when I ssh to said machine like so

then run a command like so

> sudo echo
myusername is not in the sudoers file.  This incident will be reported.

I tried adding another line to /etc/sudoers as follows
%DOMAIN\\it ALL=(ALL:ALL) ALL

and

%DOMAIN\it ALL=(ALL:ALL) ALL

but neither of them work either.

I seem to be able to get into the nfs shares I have group permissions to
but I can not get sudo to work with my AD user group.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba