[Samba] Fwd: Winbind and GPO access restrictions?

Mon Oct 4 11:10:27 UTC 2021

On 02-10-2021 22:50, Rowland Penny via samba wrote:
> On Sat, 2021-10-02 at 22:46 +0200, Kees van Vloten wrote:
>> On 02-10-2021 22:16, Rowland Penny via samba wrote:
>>> On Sat, 2021-10-02 at 22:05 +0200, Kees van Vloten via samba wrote:
>>>> On 02-10-2021 21:58, Rowland Penny via samba wrote:
>>>>> On Sat, 2021-10-02 at 21:51 +0200, Kees van Vloten via samba
>>>>> wrote:
>>>>>> I don't know what you have in /etc/sudoers or /etc/sudoers.d.
>>>>> I have already shown that my name is not in /etc/sudoers and
>>>>> /etc/sudoers.d/ is virtually empty:
>>>>>
>>>>> rowland at devstation:~$ ls /etc/sudoers.d
>>>>> README
>>>>>
>>>>> But I can use sudo.
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>> Indeed you did, but you did not show the /etc/sudoers file. I
>>>> would
>>>> expect it to contain a line that allows a group you are member of
>>>> to
>>>> provide you root access.
>>> Believe me it doesn't
>>>
>>>
>>>
>>>> If you want to see sudo-rules that are matching for your user you
>>>> can
>>>> do
>>>> sudo -l from your user.
>>> Here you are:
>>>
>>> rowland at devstation:~$ sudo -l
>>> [sudo] password for rowland:
>>> Matching Defaults entries for rowland on devstation:
>>>       !env_reset, mail_badpass,
>>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/
>>> sbin
>>> \:/bin, env_reset, mail_badpass,
>>>       secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/b
>>> in\:/
>>> sbin\:/bin
>>>
>>> User rowland may run the following commands on devstation:
>>>       (ALL : ALL) ALL
>>>
>>> Would it help if I told you that I do this on all my Unix domain
>>> members and DC's without modifying any sudo files ?
>>>
>>> Rowland
>>>
>>>
>>>
>> The one thing I see here is that there is indeed a sudo-rule that
>> allows
>> you full root access given you enter your password.
>> The output does not show on what basis you get this rule "(ALL :
>> ALL)
>> ALL" assigned.
>> I am certain that I do not see that on my machines when I am not in
>> the
>> group "sudo".
>>
>> The sudo -l output on for my user (which is member of group sudo) is:
>>
>> kvv at bach:~$ sudo -l
>> [sudo] wachtwoord voor kvv:
>> Overeenkomende standaarditems voor kvv op bach:
>>       env_reset, mail_badpass,
>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sb
>> in\:/bin
>>
>> Gebruiker kvv mag de volgende opdrachten uitvoeren op bach:
>>       (ALL : ALL) ALL
>>
>> When comparing the output, I noticed in yours "matching default
>> items"
>> are listed twice. Again no clue how it got there.
> Yes I noticed that, but it doesn't affect sudo-ldap hint hint
>
> I must log a sudo bug
>
> Rowland
>
>
>
Hi Rowland,

Usually you are quick and acurate in your responses, which I really 
appreciate.
In the last few messages you are playing hide and seek with me. You did 
not show the crucial part of your configuration (/etc/sudoers) and until 
the last message you did not talk about the fact you are using 
sudo-ldap. Why is this necessary, are we not here to help each other?

I have no doubts that there are more ways to solve a problem and all of 
them have their specific pros and cons.

The reason I am using pam_script is because it provides me with a 
generic solution for all applications that can work with local 
authorization groups. One solution for many applications is a big time 
saver. The next reason is that it also works in offline or off-network 
logins, i.e. when ldap/samba-dc is not reachable. Although that could 
probably be overcome with nscd or lscd, again more than one solution to 
get it done.

Still I am interested to learn how you did the sudo-ldap setup, perhaps 
there are advantages that I overlooked.
Then again what about other applications authorization groups? I used 
the example of libvirtd but pam_scripts also manages wireshark, sshd, 
kvm, docker, audio,video, dialout, cdrom, floppy, lpadmin, plugdev, 
bluetooth, netdev, pulse-access, users on my machines?

- Kees