[Samba] Adding an AD group to /etc/sudoers?

Jeff Sadowski jeff.sadowski at gmail.com
Wed Dec 9 19:32:54 UTC 2015 

ok after fighting to get my groups sorted out for my test user I created an
"sudoer" group and added "jefftest" to "sudoer"

> id jefftest
uid=11507(jefftest) gid=8513(domain users) groups=8513(domain
users),31020(sudoer)

and added "sudoer" to /etc/sudoers like so

%sudoer ALL=(ALL) ALL

now when I login as jefftest I can run commands using sudo

back to my other user who I also added to sudoer
I still can not run commands using sudo
but as you suggested I do the "newgrp it" or "newgrp sudoer"
and then I can run commands using sudo

On Wed, Dec 9, 2015 at 8:20 AM, Mattias Zhabinskiy <
mattiasz at thinklogical.com> wrote:

> Jeff,
>
>
> After ssh try to run:
>
>
> newgrp it
>
>
> and then sudo. See if it will work, then you'll have to figure out what's
> going on with the users groups membership.
>
>
> Regards,
>
> Matt
>
>
> ------------------------------
> *From:* Jeff Sadowski <jeff.sadowski at gmail.com>
> *Sent:* Wednesday, December 9, 2015 10:08 AM
>
> *To:* Mattias Zhabinskiy; samba
> *Subject:* Re: [Samba] Adding an AD group to /etc/sudoers?
>
> # cat /proc/sys/kernel/ngroups_max
> 65536
> # sysctl kernel.ngroups_max
> kernel.ngroups_max = 65536
>
> Is there a way to change/look at AUTH_SYS?
> Seems I have 28 groups now as my user
> I tried created a test user with much less groups
> but it turns out it is on all those other groups.
> As such I tried
>
> winbind nested groups=no
>
> but this doesn't seem to change anything.
>
>
>
> On Tue, Dec 8, 2015 at 5:05 PM, Mattias Zhabinskiy <
> mattiasz at thinklogical.com> wrote:
>
>> Jeff,
>>
>>
>> To find out maximum number of groups allowed per user run:
>>
>> cat /proc/sys/kernel/ngroups_max
>> or
>> sysctl kernel.ngroups_max
>> but AFAIK AUTH_SYS has a limit of 16, so I would try to either create a
>> test account, add it to the "it" group and test it with sudo, or trim your
>> account membership to 16 or less groups.
>>
>> Regards,
>>
>> Matt
>>
>> ------------------------------
>> *From:* Jeff Sadowski <jeff.sadowski at gmail.com>
>> *Sent:* Tuesday, December 8, 2015 4:59 PM
>> *To:* Mattias Zhabinskiy; samba
>> *Subject:* Re: [Samba] Adding an AD group to /etc/sudoers?
>>
>> # id username|sed "s/,/\n/g"|wc -l
>> 155
>>
>> # id|sed "s/,/\n/g"|wc -l
>> 28
>>
>>
>> On Tue, Dec 8, 2015 at 2:56 PM, Jeff Sadowski <jeff.sadowski at gmail.com>
>> wrote:
>>
>>> wbinfo -r username
>>> shows the gid of it
>>> and a bunch of -1's id guess for groups without gid's
>>> my user belongs to 155 groups is there a problem with that many groups?
>>>
>>> On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski <jeff.sadowski at gmail.com>
>>> wrote:
>>>
>>>> "id" alone does not show my user in the it group
>>>> "id username" does
>>>> why would id alone give different results?
>>>>
>>>> which is odd because
>>>> as my username I can get into a folder that has 0760 permissions with
>>>> user as root and it as the group
>>>>
>>>> as for
>>>> %it ALL=(ALL) ALL
>>>> instead of:
>>>> %it ALL=(ALL:ALL) ALL
>>>>
>>>> seems to work the same
>>>>
>>>>
>>>>
>>>> On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy <
>>>> mattiasz at thinklogical.com> wrote:
>>>>
>>>>> Jeff,
>>>>>
>>>>> After the ssh did you run "id" command to verify that your account
>>>>> belongs to the "it" group on the remote system?
>>>>>
>>>>> Did you try:
>>>>> %it ALL=(ALL) ALL
>>>>> instead of:
>>>>> %it ALL=(ALL:ALL) ALL
>>>>>
>>>>> Regards,
>>>>> Matt
>>>>>
>>>>> ________________________________________
>>>>> From: samba <samba-bounces at lists.samba.org> on behalf of Jeff
>>>>> Sadowski <jeff.sadowski at gmail.com>
>>>>> Sent: Monday, December 7, 2015 2:56 PM
>>>>> To: samba
>>>>> Subject: [Samba] Adding an AD group to /etc/sudoers?
>>>>>
>>>>> I can't seem to get this working and here is what I have done so far.
>>>>> I am using samba 4.1.6
>>>>>
>>>>> my /etc/samba/smb.conf looks like so
>>>>>
>>>>>    security = ads
>>>>>    realm = DOMAIN.LONG
>>>>>    workgroup = DOMAIN
>>>>>    idmap config * : backend = tdb
>>>>>    idmap config * : range = 2000-7999
>>>>>    idmap config DOMAIN:backend = ad
>>>>>    idmap config DOMAIN:range = 8000-9999999
>>>>>    idmap config DOMAIN:schema_mode = rfc2307
>>>>>    winbind nss info = rfc2307
>>>>>    winbind use default domain = yes
>>>>>    winbind nested groups=yes
>>>>>    # so that the users show up in getent
>>>>>    winbind enum users = Yes
>>>>>    # doesn't seem to do the same for groups :-/
>>>>>    winbind enum groups = Yes
>>>>>    restrict anonymous = 2
>>>>>
>>>>> In AD my group it has a gid 8001
>>>>>
>>>>> #getent group it
>>>>> it:x:8001:myusername,others
>>>>>
>>>>>
>>>>> in /etc/sudoers is the line
>>>>> %it ALL=(ALL:ALL) ALL
>>>>>
>>>>> when I ssh to said machine like so
>>>>>
>>>>> ssh myusername at problemhost
>>>>>
>>>>> then run a command like so
>>>>>
>>>>> > sudo echo
>>>>> [sudo] password for myusername:
>>>>> myusername is not in the sudoers file.  This incident will be reported.
>>>>>
>>>>> I tried adding another line to /etc/sudoers as follows
>>>>> %DOMAIN\\it ALL=(ALL:ALL) ALL
>>>>>
>>>>> and
>>>>>
>>>>> %DOMAIN\it ALL=(ALL:ALL) ALL
>>>>>
>>>>> but neither of them work either.
>>>>>
>>>>> I seem to be able to get into the nfs shares I have group permissions
>>>>> to
>>>>> but I can not get sudo to work with my AD user group.
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>>
>>>
>>
>

More information about the samba mailing list