[Samba] Fwd: Winbind and GPO access restrictions?
Kees van Vloten
keesvanvloten at gmail.com
Mon Oct 4 11:10:27 UTC 2021
On 02-10-2021 22:50, Rowland Penny via samba wrote:
> On Sat, 2021-10-02 at 22:46 +0200, Kees van Vloten wrote:
>> On 02-10-2021 22:16, Rowland Penny via samba wrote:
>>> On Sat, 2021-10-02 at 22:05 +0200, Kees van Vloten via samba wrote:
>>>> On 02-10-2021 21:58, Rowland Penny via samba wrote:
>>>>> On Sat, 2021-10-02 at 21:51 +0200, Kees van Vloten via samba
>>>>>> I don't know what you have in /etc/sudoers or /etc/sudoers.d.
>>>>> I have already shown that my name is not in /etc/sudoers and
>>>>> /etc/sudoers.d/ is virtually empty:
>>>>> rowland at devstation:~$ ls /etc/sudoers.d
>>>>> But I can use sudo.
>>>> Indeed you did, but you did not show the /etc/sudoers file. I
>>>> expect it to contain a line that allows a group you are member of
>>>> provide you root access.
>>> Believe me it doesn't
>>>> If you want to see sudo-rules that are matching for your user you
>>>> sudo -l from your user.
>>> Here you are:
>>> rowland at devstation:~$ sudo -l
>>> [sudo] password for rowland:
>>> Matching Defaults entries for rowland on devstation:
>>> !env_reset, mail_badpass,
>>> \:/bin, env_reset, mail_badpass,
>>> User rowland may run the following commands on devstation:
>>> (ALL : ALL) ALL
>>> Would it help if I told you that I do this on all my Unix domain
>>> members and DC's without modifying any sudo files ?
>> The one thing I see here is that there is indeed a sudo-rule that
>> you full root access given you enter your password.
>> The output does not show on what basis you get this rule "(ALL :
>> ALL" assigned.
>> I am certain that I do not see that on my machines when I am not in
>> group "sudo".
>> The sudo -l output on for my user (which is member of group sudo) is:
>> kvv at bach:~$ sudo -l
>> [sudo] wachtwoord voor kvv:
>> Overeenkomende standaarditems voor kvv op bach:
>> env_reset, mail_badpass,
>> Gebruiker kvv mag de volgende opdrachten uitvoeren op bach:
>> (ALL : ALL) ALL
>> When comparing the output, I noticed in yours "matching default
>> are listed twice. Again no clue how it got there.
> Yes I noticed that, but it doesn't affect sudo-ldap hint hint
> I must log a sudo bug
Usually you are quick and acurate in your responses, which I really
In the last few messages you are playing hide and seek with me. You did
not show the crucial part of your configuration (/etc/sudoers) and until
the last message you did not talk about the fact you are using
sudo-ldap. Why is this necessary, are we not here to help each other?
I have no doubts that there are more ways to solve a problem and all of
them have their specific pros and cons.
The reason I am using pam_script is because it provides me with a
generic solution for all applications that can work with local
authorization groups. One solution for many applications is a big time
saver. The next reason is that it also works in offline or off-network
logins, i.e. when ldap/samba-dc is not reachable. Although that could
probably be overcome with nscd or lscd, again more than one solution to
get it done.
Still I am interested to learn how you did the sudo-ldap setup, perhaps
there are advantages that I overlooked.
Then again what about other applications authorization groups? I used
the example of libvirtd but pam_scripts also manages wireshark, sshd,
kvm, docker, audio,video, dialout, cdrom, floppy, lpadmin, plugdev,
bluetooth, netdev, pulse-access, users on my machines?
More information about the samba