[Samba] Fwd: Winbind and GPO access restrictions?

Rowland Penny rpenny at samba.org
Sat Oct 2 19:34:30 UTC 2021 

On Sat, 2021-10-02 at 20:20 +0200, Kees van Vloten via samba wrote:
> 
> #! /bin/bash
> #
> SUPPORTED_SERVICES="login sshd sddm-helper"
> SCRIPT_CALLED_AS="$(basename $0)"
> 
> [[ -n "${PAM_USER}" ]] || exit 0
> [[ -n "${PAM_SERVICE}" ]] || exit 0
> ! grep -q "^${PAM_USER}:" /etc/passwd || exit 0  # Do not do this
> for 
> local users !!
> echo "${SUPPORTED_SERVICES}" | grep -wq "${PAM_SERVICE}" || exit 0
> 
> declare -A GROUP_MAP
> GROUP_MAP["acl-app_libvirt-access"]="libvirt"
> # Allow sudo to root for:
> GROUP_MAP["acl-desktops_sudo_root"]="sudo"
> 
> # https://wiki.debian.org/SystemGroups
> # Allow access to devices:
> GROUP_MAP["grp_${PAM_USER}"]="audio,video,dialout,cdrom,floppy,lpadmi
> n,plugdev,bluetooth,netdev,pulse-access,users"
> 
> if [[ "${SCRIPT_CALLED_AS}" == "pam_script_ses_close" ]]; then
>     N_LOGINS=$(who | awk '{print $1}' | grep "${PAM_USER}" | wc -l)
>      if [[ ${N_LOGINS} -eq 0 ]]; then
>          usermod -G "" ${PAM_USER}
>      fi
> 
> elif [[ "${SCRIPT_CALLED_AS}" == "pam_script_ses_open" ]]; then
>      USER_GROUPS="$(id -Gn ${PAM_USER})"
>      for DOMAIN_GROUP in "${!GROUP_MAP[@]}"; do
>          if echo "${USER_GROUPS}" | grep -wq "${DOMAIN_GROUP}"; then
>              LOCAL_GROUPS="$(echo "${GROUP_MAP[$DOMAIN_GROUP]}" |
> sed 
> 's/,/ /g')"
>              for LOCAL_GROUP in $LOCAL_GROUPS; do
>                  grep -q "^${LOCAL_GROUP}:" /etc/group || continue
>                  usermod -a -G "${LOCAL_GROUP}" ${PAM_USER}
>              done
>          fi
>      done
> fi
> exit 0
> 
> Now /etc/group is actually updated when ou login or logout and even 
> libvirtd sees the memberships correctly.
> 
> - Kees
> 
> 

Interesting, but libvirt looks like you can use kerberos and you do not
need to be a local member of sudo (or to put another way, your user
does not need to be in /etc/sudoers):

rowland at devstation:~$ id rowland | grep 'sudo'
rowland at devstation:~$ samba -V
bash: samba: command not found
rowland at devstation:~$ sudo samba -V
Version 4.14.7-Debian

Care to explain how I can run sudo without apparently being a member of
the group 'sudo' ?

Rowland

More information about the samba mailing list