[Samba] Adding an AD group to /etc/sudoers?

Mattias Zhabinskiy mattiasz at thinklogical.com
Wed Dec 9 15:20:22 UTC 2015 

Jeff,


After ssh try to run:


newgrp it


and then sudo. See if it will work, then you'll have to figure out what's going on with the users groups membership.


Regards,

Matt


________________________________
From: Jeff Sadowski <jeff.sadowski at gmail.com>
Sent: Wednesday, December 9, 2015 10:08 AM
To: Mattias Zhabinskiy; samba
Subject: Re: [Samba] Adding an AD group to /etc/sudoers?

# cat /proc/sys/kernel/ngroups_max
65536
# sysctl kernel.ngroups_max
kernel.ngroups_max = 65536

Is there a way to change/look at AUTH_SYS?
Seems I have 28 groups now as my user
I tried created a test user with much less groups
but it turns out it is on all those other groups.
As such I tried

winbind nested groups=no

but this doesn't seem to change anything.



On Tue, Dec 8, 2015 at 5:05 PM, Mattias Zhabinskiy <mattiasz at thinklogical.com<mailto:mattiasz at thinklogical.com>> wrote:

Jeff,


To find out maximum number of groups allowed per user run:

cat /proc/sys/kernel/ngroups_max
or
sysctl kernel.ngroups_max
but AFAIK AUTH_SYS has a limit of 16, so I would try to either create a test account, add it to the "it" group and test it with sudo, or trim your account membership to 16 or less groups.

Regards,

Matt

________________________________
From: Jeff Sadowski <jeff.sadowski at gmail.com<mailto:jeff.sadowski at gmail.com>>
Sent: Tuesday, December 8, 2015 4:59 PM
To: Mattias Zhabinskiy; samba
Subject: Re: [Samba] Adding an AD group to /etc/sudoers?

# id username|sed "s/,/\n/g"|wc -l
155

# id|sed "s/,/\n/g"|wc -l
28


On Tue, Dec 8, 2015 at 2:56 PM, Jeff Sadowski <jeff.sadowski at gmail.com<mailto:jeff.sadowski at gmail.com>> wrote:
wbinfo -r username
shows the gid of it
and a bunch of -1's id guess for groups without gid's
my user belongs to 155 groups is there a problem with that many groups?

On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski <jeff.sadowski at gmail.com<mailto:jeff.sadowski at gmail.com>> wrote:
"id" alone does not show my user in the it group
"id username" does
why would id alone give different results?

which is odd because
as my username I can get into a folder that has 0760 permissions with user as root and it as the group

as for
%it ALL=(ALL) ALL
instead of:
%it ALL=(ALL:ALL) ALL

seems to work the same



On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy <mattiasz at thinklogical.com<mailto:mattiasz at thinklogical.com>> wrote:
Jeff,

After the ssh did you run "id" command to verify that your account belongs to the "it" group on the remote system?

Did you try:
%it ALL=(ALL) ALL
instead of:
%it ALL=(ALL:ALL) ALL

Regards,
Matt

________________________________________
From: samba <samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org>> on behalf of Jeff Sadowski <jeff.sadowski at gmail.com<mailto:jeff.sadowski at gmail.com>>
Sent: Monday, December 7, 2015 2:56 PM
To: samba
Subject: [Samba] Adding an AD group to /etc/sudoers?

I can't seem to get this working and here is what I have done so far.
I am using samba 4.1.6

my /etc/samba/smb.conf looks like so

   security = ads
   realm = DOMAIN.LONG
   workgroup = DOMAIN
   idmap config * : backend = tdb
   idmap config * : range = 2000-7999
   idmap config DOMAIN:backend = ad
   idmap config DOMAIN:range = 8000-9999999
   idmap config DOMAIN:schema_mode = rfc2307
   winbind nss info = rfc2307
   winbind use default domain = yes
   winbind nested groups=yes
   # so that the users show up in getent
   winbind enum users = Yes
   # doesn't seem to do the same for groups :-/
   winbind enum groups = Yes
   restrict anonymous = 2

In AD my group it has a gid 8001

#getent group it
it:x:8001:myusername,others


in /etc/sudoers is the line
%it ALL=(ALL:ALL) ALL

when I ssh to said machine like so

ssh myusername at problemhost

then run a command like so

> sudo echo
[sudo] password for myusername:
myusername is not in the sudoers file.  This incident will be reported.

I tried adding another line to /etc/sudoers as follows
%DOMAIN\\it ALL=(ALL:ALL) ALL

and

%DOMAIN\it ALL=(ALL:ALL) ALL

but neither of them work either.

I seem to be able to get into the nfs shares I have group permissions to
but I can not get sudo to work with my AD user group.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list