[Samba] Fwd: Winbind and GPO access restrictions?

Kees van Vloten keesvanvloten at gmail.com
Sat Oct 2 21:03:39 UTC 2021 

On 02-10-2021 22:50, Rowland Penny via samba wrote:
> On Sat, 2021-10-02 at 22:46 +0200, Kees van Vloten wrote:
>> On 02-10-2021 22:16, Rowland Penny via samba wrote:
>>> On Sat, 2021-10-02 at 22:05 +0200, Kees van Vloten via samba wrote:
>>>> On 02-10-2021 21:58, Rowland Penny via samba wrote:
>>>>> On Sat, 2021-10-02 at 21:51 +0200, Kees van Vloten via samba
>>>>> wrote:
>>>>>> I don't know what you have in /etc/sudoers or /etc/sudoers.d.
>>>>> I have already shown that my name is not in /etc/sudoers and
>>>>> /etc/sudoers.d/ is virtually empty:
>>>>>
>>>>> rowland at devstation:~$ ls /etc/sudoers.d
>>>>> README
>>>>>
>>>>> But I can use sudo.
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>> Indeed you did, but you did not show the /etc/sudoers file. I
>>>> would
>>>> expect it to contain a line that allows a group you are member of
>>>> to
>>>> provide you root access.
>>> Believe me it doesn't
>>>
>>>
>>>
>>>> If you want to see sudo-rules that are matching for your user you
>>>> can
>>>> do
>>>> sudo -l from your user.
>>> Here you are:
>>>
>>> rowland at devstation:~$ sudo -l
>>> [sudo] password for rowland:
>>> Matching Defaults entries for rowland on devstation:
>>>       !env_reset, mail_badpass,
>>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/
>>> sbin
>>> \:/bin, env_reset, mail_badpass,
>>>       secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/b
>>> in\:/
>>> sbin\:/bin
>>>
>>> User rowland may run the following commands on devstation:
>>>       (ALL : ALL) ALL
>>>
>>> Would it help if I told you that I do this on all my Unix domain
>>> members and DC's without modifying any sudo files ?
>>>
>>> Rowland
>>>
>>>
>>>
>> The one thing I see here is that there is indeed a sudo-rule that
>> allows
>> you full root access given you enter your password.
>> The output does not show on what basis you get this rule "(ALL :
>> ALL)
>> ALL" assigned.
>> I am certain that I do not see that on my machines when I am not in
>> the
>> group "sudo".
>>
>> The sudo -l output on for my user (which is member of group sudo) is:
>>
>> kvv at bach:~$ sudo -l
>> [sudo] wachtwoord voor kvv:
>> Overeenkomende standaarditems voor kvv op bach:
>>       env_reset, mail_badpass,
>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sb
>> in\:/bin
>>
>> Gebruiker kvv mag de volgende opdrachten uitvoeren op bach:
>>       (ALL : ALL) ALL
>>
>> When comparing the output, I noticed in yours "matching default
>> items"
>> are listed twice. Again no clue how it got there.
> Yes I noticed that, but it doesn't affect sudo-ldap hint hint
>
> I must log a sudo bug
>
> Rowland
>
>
>
Are you using sudo-ldap?
Then I guess the matching rule comes from ldap. Indeed if ldap supplies 
sudo-rules then membership of the local-group "sudo" is not necessary.
Did you extend the AD-schema to make sudo-ldap working with Samba? Or 
what did you configure?

- Kees

More information about the samba mailing list