[Samba] Fwd: Fwd: Winbind and GPO access restrictions?
Kees van Vloten
keesvanvloten at gmail.com
Sat Oct 2 20:47:38 UTC 2021
On 02-10-2021 22:16, Rowland Penny via samba wrote:
> On Sat, 2021-10-02 at 22:05 +0200, Kees van Vloten via samba wrote:
>> On 02-10-2021 21:58, Rowland Penny via samba wrote:
>>> On Sat, 2021-10-02 at 21:51 +0200, Kees van Vloten via samba wrote:
>>>> I don't know what you have in /etc/sudoers or /etc/sudoers.d.
>>> I have already shown that my name is not in /etc/sudoers and
>>> /etc/sudoers.d/ is virtually empty:
>>>
>>> rowland at devstation:~$ ls /etc/sudoers.d
>>> README
>>>
>>> But I can use sudo.
>>>
>>> Rowland
>>>
>>>
>>>
>> Indeed you did, but you did not show the /etc/sudoers file. I would
>> expect it to contain a line that allows a group you are member of to
>> provide you root access.
> Believe me it doesn't
>
>
>
>> If you want to see sudo-rules that are matching for your user you can
>> do
>> sudo -l from your user.
> Here you are:
>
> rowland at devstation:~$ sudo -l
> [sudo] password for rowland:
> Matching Defaults entries for rowland on devstation:
> !env_reset, mail_badpass,
> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin
> \:/bin, env_reset, mail_badpass,
> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/
> sbin\:/bin
>
> User rowland may run the following commands on devstation:
> (ALL : ALL) ALL
>
> Would it help if I told you that I do this on all my Unix domain
> members and DC's without modifying any sudo files ?
>
> Rowland
>
>
>
The one thing I see here is that there is indeed a sudo-rule that allows
you full root access given you enter your password.
The output does not show on what basis you get this rule "(ALL : ALL)
ALL" assigned.
I am certain that I do not see that on my machines when I am not in the
group "sudo".
The sudo -l output on for my user (which is member of group sudo) is:
kvv at bach:~$ sudo -l
[sudo] wachtwoord voor kvv:
Overeenkomende standaarditems voor kvv op bach:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
Gebruiker kvv mag de volgende opdrachten uitvoeren op bach:
(ALL : ALL) ALL
When comparing the output, I noticed in yours "matching default items"
are listed twice. Again no clue how it got there. On the other hand I
have a fresh and unchanged Debian Bullseye setup, so I suspect there are
changes in yours, at least reason to do a thorough investigation, I
would say.
- Kees
More information about the samba
mailing list