[Samba] Sudo rules in samba with winbind

Rowland Penny rpenny at samba.org
Fri Apr 12 14:57:11 UTC 2019

On Fri, 12 Apr 2019 16:12:53 +0200
Martin Krämer via samba <samba at lists.samba.org> wrote:

> Hello All,
> I am currently changing my samba linux clients (Debian) from sssd
> binding to winbind.
> With sssd I had all sudo rules within the samba active directory.
> The configuration was based on:
> https://lists.samba.org/archive/samba/2016-April/199402.html
> Is there some guideline like the one mentioned available/has someone
> already experience with this for winbind based clients?
> Within the conversation I found that Rowland was trying to setup
> something like this but seemed to have problems with "k5start". Well,
> I still have problems with the basics since based on
> https://manpages.debian.org/stretch/sudo-ldap/sudoers.ldap.5.en.html
> I need to configure /etc/nsswitch.conf.
> I decided for test to just keep "*sudoers: ldap*"
> As soon as I change this I recieve the following error (based on my
> test independently what I define within /etc/sudo-ldap.conf:
> *user at cd2bd668e00c7:~$ sudo -v*
> *sudo: no valid sudoers sources found, quitting*
> *sudo: unable to initialize policy plugin*
> Thanks for help & hints
> Martin

I take it you would like to see something like this:

sudo nano /etc/nsswitch.conf 
sudo: LDAP Config Summary
sudo: ===================
sudo: uri              ldap://dc4.samdom.example.com
sudo: ldap_version     3
sudo: sudoers_base     OU=SUDOers,DC=samdom,DC=example,DC=com
sudo: search_filter    (objectClass=sudoRole)
sudo: netgroup_base (NONE: will use nsswitch)
sudo: netgroup_search_filter (objectClass=nisNetgroup)
sudo: binddn           (anonymous)
sudo: bindpw           (anonymous)
sudo: ssl              (no)
sudo: use_sasl         yes
sudo: sasl_auth_id     $USER
sudo: rootuse_sasl     -1
sudo: rootsasl_auth_id (NONE)
sudo: sasl_secprops    (NONE)
sudo: krb5_ccname      (NONE)
sudo: ===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_sasl_interactive_bind_s() ok
sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults))
sudo: found:CN=defaults,OU=SUDOers,DC=samdom,DC=example,DC=com
sudo: ldap search '(&(objectClass=sudoRole)(|(sudoUser=rowland)(sudoUser=%domain users)(sudoUser=%#10000)(sudoUser=%netdev)(sudoUser=%unixtest)(sudoUser=%BUILTIN\5cadministrators)(sudoUser=%BUILTIN\5cusers)(sudoUser=%unixgroup)(sudoUser=%testgroup)(sudoUser=%group12)(sudoUser=%printeradmin)(sudoUser=%unix admins)(sudoUser=%#102)(sudoUser=%#1001)(sudoUser=%#2000)(sudoUser=%#2001)(sudoUser=%#10002)(sudoUser=%#10004)(sudoUser=%#10010)(sudoUser=%#10011)(sudoUser=%#10024)(sudoUser=ALL)))'
sudo: searching from base 'OU=SUDOers,DC=samdom,DC=example,DC=com'
sudo: adding search result
sudo: result now has 1 entries
sudo: ldap search '(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))'
sudo: searching from base 'OU=SUDOers,DC=samdom,DC=example,DC=com'
sudo: adding search result
sudo: result now has 1 entries
sudo: sorting remaining 1 entries
sudo: searching LDAP for sudoers entries
sudo: Command allowed
sudo: LDAP entry: 0x55b665ecf1f0
sudo: done with LDAP searches
sudo: user_matches=true
sudo: host_matches=true
sudo: sudo_ldap_lookup(0)=0x02
sudo: removing reusable search result


More information about the samba mailing list