[Samba] [Solved] Samba 4 sudoers

Rowland penny rpenny at samba.org
Thu Apr 21 07:41:35 UTC 2016

On 21/04/16 06:40, John Gardeniers wrote:
> Good news, I now have this working. Once I finish writing my notes 
> I'll make them available to whoever might want them. Just to clarify 
> things a bit, here is what we have and what we wanted:
> * Linux users are authenticated by the Samba 4 domain controllers via 
> SSSD, which itself uses LDAP.
> * As we are a development house, we have a rather complex set of 
> users/groups/permissions on the numerous servers. We wanted to manage 
> this centrally via Active Directory, without touching the sudoers file 
> on the Linux side.
> * As of now, on a test domain which is functionally a replica of our 
> production domain, we are able to manage sudo permissions on our AD 
> users and groups via a combination of ADSI Edit and ADUC.
> ADSI Edit is used only to create a new rule, which we then edit in 
> ADUC. As I am the only member of our team who has ever dealt with 
> Active Directory before we are looking for any GUI tool which can make 
> this a bit more intuitive, as the native Linux speakers aren't overly 
> comfortable with the aforementioned tools. If you know of any we'd 
> like to know.
> A bit more testing and we can copy this to production. :)
> regards,
> John
> On 20/04/16 14:18, John Gardeniers wrote:
>> Has anyone here managed to get sudo working with Samba 4 AD users, 
>> using either ldap or sssd, with sssd preferred? If so, can you please 
>> point me in the direction of whatever instructions you used? It seems 
>> like there are a bunch of tutorials on the subject, each with 
>> different, and sometimes conflicting, information but none of those 
>> I've tried work for me.
>> regards,
>> John

I had this working some time ago, when I thought the only way was sssd 
and yes it would be nice to have a GUI, but I don't know of one.

I have been working on getting sudo to work with winbind and am 
struggling a bit at the moment, not with sudo and AD, but with k5start. 
I need this to make sure there is a ticket for the user that reads the 
sudo rules in AD, only problem, k5start doesn't seem to want to start at 
boot :-)


More information about the samba mailing list