[Samba] Fwd: Fwd: Winbind and GPO access restrictions?

Kees van Vloten keesvanvloten at gmail.com
Sat Oct 2 20:47:38 UTC 2021 

On 02-10-2021 22:16, Rowland Penny via samba wrote:
> On Sat, 2021-10-02 at 22:05 +0200, Kees van Vloten via samba wrote:
>> On 02-10-2021 21:58, Rowland Penny via samba wrote:
>>> On Sat, 2021-10-02 at 21:51 +0200, Kees van Vloten via samba wrote:
>>>> I don't know what you have in /etc/sudoers or /etc/sudoers.d.
>>> I have already shown that my name is not in /etc/sudoers and
>>> /etc/sudoers.d/ is virtually empty:
>>>
>>> rowland at devstation:~$ ls /etc/sudoers.d
>>> README
>>>
>>> But I can use sudo.
>>>
>>> Rowland
>>>
>>>
>>>
>> Indeed you did, but you did not show the /etc/sudoers file. I would
>> expect it to contain a line that allows a group you are member of to
>> provide you root access.
> Believe me it doesn't
>
>
>
>> If you want to see sudo-rules that are matching for your user you can
>> do
>> sudo -l from your user.
> Here you are:
>
> rowland at devstation:~$ sudo -l
> [sudo] password for rowland:
> Matching Defaults entries for rowland on devstation:
> !env_reset, mail_badpass,
> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin
> \:/bin, env_reset, mail_badpass,
> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/
> sbin\:/bin
>
> User rowland may run the following commands on devstation:
> (ALL : ALL) ALL
>
> Would it help if I told you that I do this on all my Unix domain
> members and DC's without modifying any sudo files ?
>
> Rowland
>
>
>
The one thing I see here is that there is indeed a sudo-rule that allows 
you full root access given you enter your password.
The output does not show on what basis you get this rule "(ALL : ALL) 
ALL" assigned.
I am certain that I do not see that on my machines when I am not in the 
group "sudo".

The sudo -l output on for my user (which is member of group sudo) is:

kvv at bach:~$ sudo -l
[sudo] wachtwoord voor kvv:
Overeenkomende standaarditems voor kvv op bach:
     env_reset, mail_badpass, 
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Gebruiker kvv mag de volgende opdrachten uitvoeren op bach:
     (ALL : ALL) ALL

When comparing the output, I noticed in yours "matching default items" 
are listed twice. Again no clue how it got there. On the other hand I 
have a fresh and unchanged Debian Bullseye setup, so I suspect there are 
changes in yours, at least reason to do a thorough investigation, I 
would say.

- Kees

More information about the samba mailing list