[Samba] Fwd: Winbind and GPO access restrictions?

Rowland Penny rpenny at samba.org
Sat Oct 2 20:50:18 UTC 2021 

On Sat, 2021-10-02 at 22:46 +0200, Kees van Vloten wrote:
> On 02-10-2021 22:16, Rowland Penny via samba wrote:
> > On Sat, 2021-10-02 at 22:05 +0200, Kees van Vloten via samba wrote:
> > > On 02-10-2021 21:58, Rowland Penny via samba wrote:
> > > > On Sat, 2021-10-02 at 21:51 +0200, Kees van Vloten via samba
> > > > wrote:
> > > > > I don't know what you have in /etc/sudoers or /etc/sudoers.d.
> > > > I have already shown that my name is not in /etc/sudoers and
> > > > /etc/sudoers.d/ is virtually empty:
> > > > 
> > > > rowland at devstation:~$ ls /etc/sudoers.d
> > > > README
> > > > 
> > > > But I can use sudo.
> > > > 
> > > > Rowland
> > > > 
> > > > 
> > > > 
> > > Indeed you did, but you did not show the /etc/sudoers file. I
> > > would
> > > expect it to contain a line that allows a group you are member of
> > > to
> > > provide you root access.
> > Believe me it doesn't
> > 
> > 
> > 
> > > If you want to see sudo-rules that are matching for your user you
> > > can
> > > do
> > > sudo -l from your user.
> > Here you are:
> > 
> > rowland at devstation:~$ sudo -l
> > [sudo] password for rowland:
> > Matching Defaults entries for rowland on devstation:
> >      !env_reset, mail_badpass,
> > secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/
> > sbin
> > \:/bin, env_reset, mail_badpass,
> >      secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/b
> > in\:/
> > sbin\:/bin
> > 
> > User rowland may run the following commands on devstation:
> >      (ALL : ALL) ALL
> > 
> > Would it help if I told you that I do this on all my Unix domain
> > members and DC's without modifying any sudo files ?
> > 
> > Rowland
> > 
> > 
> > 
> The one thing I see here is that there is indeed a sudo-rule that
> allows 
> you full root access given you enter your password.
> The output does not show on what basis you get this rule "(ALL :
> ALL) 
> ALL" assigned.
> I am certain that I do not see that on my machines when I am not in
> the 
> group "sudo".
> 
> The sudo -l output on for my user (which is member of group sudo) is:
> 
> kvv at bach:~$ sudo -l
> [sudo] wachtwoord voor kvv:
> Overeenkomende standaarditems voor kvv op bach:
>      env_reset, mail_badpass, 
> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sb
> in\:/bin
> 
> Gebruiker kvv mag de volgende opdrachten uitvoeren op bach:
>      (ALL : ALL) ALL
> 
> When comparing the output, I noticed in yours "matching default
> items" 
> are listed twice. Again no clue how it got there.

Yes I noticed that, but it doesn't affect sudo-ldap hint hint

I must log a sudo bug

Rowland

More information about the samba mailing list