[Samba] Adding an AD group to /etc/sudoers?

Jeff Sadowski jeff.sadowski at gmail.com
Thu Dec 10 15:25:43 UTC 2015 

Thank you very much at least I have a temporary workaround.

On Wed, Dec 9, 2015 at 12:32 PM, Jeff Sadowski <jeff.sadowski at gmail.com>
wrote:

> ok after fighting to get my groups sorted out for my test user I created
> an "sudoer" group and added "jefftest" to "sudoer"
>
> > id jefftest
> uid=11507(jefftest) gid=8513(domain users) groups=8513(domain
> users),31020(sudoer)
>
> and added "sudoer" to /etc/sudoers like so
>
> %sudoer ALL=(ALL) ALL
>
> now when I login as jefftest I can run commands using sudo
>
> back to my other user who I also added to sudoer
> I still can not run commands using sudo
> but as you suggested I do the "newgrp it" or "newgrp sudoer"
> and then I can run commands using sudo
>
> On Wed, Dec 9, 2015 at 8:20 AM, Mattias Zhabinskiy <
> mattiasz at thinklogical.com> wrote:
>
>> Jeff,
>>
>>
>> After ssh try to run:
>>
>>
>> newgrp it
>>
>>
>> and then sudo. See if it will work, then you'll have to figure out what's
>> going on with the users groups membership.
>>
>>
>> Regards,
>>
>> Matt
>>
>>
>> ------------------------------
>> *From:* Jeff Sadowski <jeff.sadowski at gmail.com>
>> *Sent:* Wednesday, December 9, 2015 10:08 AM
>>
>> *To:* Mattias Zhabinskiy; samba
>> *Subject:* Re: [Samba] Adding an AD group to /etc/sudoers?
>>
>> # cat /proc/sys/kernel/ngroups_max
>> 65536
>> # sysctl kernel.ngroups_max
>> kernel.ngroups_max = 65536
>>
>> Is there a way to change/look at AUTH_SYS?
>> Seems I have 28 groups now as my user
>> I tried created a test user with much less groups
>> but it turns out it is on all those other groups.
>> As such I tried
>>
>> winbind nested groups=no
>>
>> but this doesn't seem to change anything.
>>
>>
>>
>> On Tue, Dec 8, 2015 at 5:05 PM, Mattias Zhabinskiy <
>> mattiasz at thinklogical.com> wrote:
>>
>>> Jeff,
>>>
>>>
>>> To find out maximum number of groups allowed per user run:
>>>
>>> cat /proc/sys/kernel/ngroups_max
>>> or
>>> sysctl kernel.ngroups_max
>>> but AFAIK AUTH_SYS has a limit of 16, so I would try to either create a
>>> test account, add it to the "it" group and test it with sudo, or trim your
>>> account membership to 16 or less groups.
>>>
>>> Regards,
>>>
>>> Matt
>>>
>>> ------------------------------
>>> *From:* Jeff Sadowski <jeff.sadowski at gmail.com>
>>> *Sent:* Tuesday, December 8, 2015 4:59 PM
>>> *To:* Mattias Zhabinskiy; samba
>>> *Subject:* Re: [Samba] Adding an AD group to /etc/sudoers?
>>>
>>> # id username|sed "s/,/\n/g"|wc -l
>>> 155
>>>
>>> # id|sed "s/,/\n/g"|wc -l
>>> 28
>>>
>>>
>>> On Tue, Dec 8, 2015 at 2:56 PM, Jeff Sadowski <jeff.sadowski at gmail.com>
>>> wrote:
>>>
>>>> wbinfo -r username
>>>> shows the gid of it
>>>> and a bunch of -1's id guess for groups without gid's
>>>> my user belongs to 155 groups is there a problem with that many groups?
>>>>
>>>> On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski <jeff.sadowski at gmail.com>
>>>> wrote:
>>>>
>>>>> "id" alone does not show my user in the it group
>>>>> "id username" does
>>>>> why would id alone give different results?
>>>>>
>>>>> which is odd because
>>>>> as my username I can get into a folder that has 0760 permissions with
>>>>> user as root and it as the group
>>>>>
>>>>> as for
>>>>> %it ALL=(ALL) ALL
>>>>> instead of:
>>>>> %it ALL=(ALL:ALL) ALL
>>>>>
>>>>> seems to work the same
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy <
>>>>> mattiasz at thinklogical.com> wrote:
>>>>>
>>>>>> Jeff,
>>>>>>
>>>>>> After the ssh did you run "id" command to verify that your account
>>>>>> belongs to the "it" group on the remote system?
>>>>>>
>>>>>> Did you try:
>>>>>> %it ALL=(ALL) ALL
>>>>>> instead of:
>>>>>> %it ALL=(ALL:ALL) ALL
>>>>>>
>>>>>> Regards,
>>>>>> Matt
>>>>>>
>>>>>> ________________________________________
>>>>>> From: samba <samba-bounces at lists.samba.org> on behalf of Jeff
>>>>>> Sadowski <jeff.sadowski at gmail.com>
>>>>>> Sent: Monday, December 7, 2015 2:56 PM
>>>>>> To: samba
>>>>>> Subject: [Samba] Adding an AD group to /etc/sudoers?
>>>>>>
>>>>>> I can't seem to get this working and here is what I have done so far.
>>>>>> I am using samba 4.1.6
>>>>>>
>>>>>> my /etc/samba/smb.conf looks like so
>>>>>>
>>>>>>    security = ads
>>>>>>    realm = DOMAIN.LONG
>>>>>>    workgroup = DOMAIN
>>>>>>    idmap config * : backend = tdb
>>>>>>    idmap config * : range = 2000-7999
>>>>>>    idmap config DOMAIN:backend = ad
>>>>>>    idmap config DOMAIN:range = 8000-9999999
>>>>>>    idmap config DOMAIN:schema_mode = rfc2307
>>>>>>    winbind nss info = rfc2307
>>>>>>    winbind use default domain = yes
>>>>>>    winbind nested groups=yes
>>>>>>    # so that the users show up in getent
>>>>>>    winbind enum users = Yes
>>>>>>    # doesn't seem to do the same for groups :-/
>>>>>>    winbind enum groups = Yes
>>>>>>    restrict anonymous = 2
>>>>>>
>>>>>> In AD my group it has a gid 8001
>>>>>>
>>>>>> #getent group it
>>>>>> it:x:8001:myusername,others
>>>>>>
>>>>>>
>>>>>> in /etc/sudoers is the line
>>>>>> %it ALL=(ALL:ALL) ALL
>>>>>>
>>>>>> when I ssh to said machine like so
>>>>>>
>>>>>> ssh myusername at problemhost
>>>>>>
>>>>>> then run a command like so
>>>>>>
>>>>>> > sudo echo
>>>>>> [sudo] password for myusername:
>>>>>> myusername is not in the sudoers file.  This incident will be
>>>>>> reported.
>>>>>>
>>>>>> I tried adding another line to /etc/sudoers as follows
>>>>>> %DOMAIN\\it ALL=(ALL:ALL) ALL
>>>>>>
>>>>>> and
>>>>>>
>>>>>> %DOMAIN\it ALL=(ALL:ALL) ALL
>>>>>>
>>>>>> but neither of them work either.
>>>>>>
>>>>>> I seem to be able to get into the nfs shares I have group permissions
>>>>>> to
>>>>>> but I can not get sudo to work with my AD user group.
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

More information about the samba mailing list