[Samba] Fwd: Winbind and GPO access restrictions?
Kees van Vloten
keesvanvloten at gmail.com
Sat Oct 2 19:51:55 UTC 2021
On 02-10-2021 21:34, Rowland Penny via samba wrote:
> On Sat, 2021-10-02 at 20:20 +0200, Kees van Vloten via samba wrote:
>> #! /bin/bash
>> #
>> SUPPORTED_SERVICES="login sshd sddm-helper"
>> SCRIPT_CALLED_AS="$(basename $0)"
>>
>> [[ -n "${PAM_USER}" ]] || exit 0
>> [[ -n "${PAM_SERVICE}" ]] || exit 0
>> ! grep -q "^${PAM_USER}:" /etc/passwd || exit 0 # Do not do this
>> for
>> local users !!
>> echo "${SUPPORTED_SERVICES}" | grep -wq "${PAM_SERVICE}" || exit 0
>>
>> declare -A GROUP_MAP
>> GROUP_MAP["acl-app_libvirt-access"]="libvirt"
>> # Allow sudo to root for:
>> GROUP_MAP["acl-desktops_sudo_root"]="sudo"
>>
>> # https://wiki.debian.org/SystemGroups
>> # Allow access to devices:
>> GROUP_MAP["grp_${PAM_USER}"]="audio,video,dialout,cdrom,floppy,lpadmi
>> n,plugdev,bluetooth,netdev,pulse-access,users"
>>
>> if [[ "${SCRIPT_CALLED_AS}" == "pam_script_ses_close" ]]; then
>> N_LOGINS=$(who | awk '{print $1}' | grep "${PAM_USER}" | wc -l)
>> if [[ ${N_LOGINS} -eq 0 ]]; then
>> usermod -G "" ${PAM_USER}
>> fi
>>
>> elif [[ "${SCRIPT_CALLED_AS}" == "pam_script_ses_open" ]]; then
>> USER_GROUPS="$(id -Gn ${PAM_USER})"
>> for DOMAIN_GROUP in "${!GROUP_MAP[@]}"; do
>> if echo "${USER_GROUPS}" | grep -wq "${DOMAIN_GROUP}"; then
>> LOCAL_GROUPS="$(echo "${GROUP_MAP[$DOMAIN_GROUP]}" |
>> sed
>> 's/,/ /g')"
>> for LOCAL_GROUP in $LOCAL_GROUPS; do
>> grep -q "^${LOCAL_GROUP}:" /etc/group || continue
>> usermod -a -G "${LOCAL_GROUP}" ${PAM_USER}
>> done
>> fi
>> done
>> fi
>> exit 0
>>
>> Now /etc/group is actually updated when ou login or logout and even
>> libvirtd sees the memberships correctly.
>>
>> - Kees
>>
>>
> Interesting, but libvirt looks like you can use kerberos and you do not
> need to be a local member of sudo (or to put another way, your user
> does not need to be in /etc/sudoers):
>
> rowland at devstation:~$ id rowland | grep 'sudo'
> rowland at devstation:~$ samba -V
> bash: samba: command not found
> rowland at devstation:~$ sudo samba -V
> Version 4.14.7-Debian
>
> Care to explain how I can run sudo without apparently being a member of
> the group 'sudo' ?
>
> Rowland
>
I don't know what you have in /etc/sudoers or /etc/sudoers.d. The
default is:
Defaults env_reset
Defaults mail_badpass
Defaults
secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "@include" directives:
@includedir /etc/sudoers.d
My /etc/sudoers.d is empty.
So here the group sudoers determines who can do anything on the system.
BTW. for sudoers pam_group is working as expected, but for many other
local-groups it is not sufficient, libvirt was just one example.
- Kees.
More information about the samba
mailing list