[Samba] Fwd: Fwd: Winbind and GPO access restrictions?

Kees van Vloten keesvanvloten at gmail.com
Mon Oct 4 16:42:46 UTC 2021

On 04-10-2021 17:39, Rowland Penny via samba wrote:
> On Mon, 2021-10-04 at 13:10 +0200, Kees van Vloten via samba wrote:
>> On 02-10-2021 22:50, Rowland Penny via samba wrote:
>>> On Sat, 2021-10-02 at 22:46 +0200, Kees van Vloten wrote:
>>>> On 02-10-2021 22:16, Rowland Penny via samba wrote:
>>>>> On Sat, 2021-10-02 at 22:05 +0200, Kees van Vloten via samba
>>>>> wrote:
>>>>>> On 02-10-2021 21:58, Rowland Penny via samba wrote:
>>>>>>> On Sat, 2021-10-02 at 21:51 +0200, Kees van Vloten via
>>>>>>> samba
>>>>>>> wrote:
>>>>>>>> I don't know what you have in /etc/sudoers or
>>>>>>>> /etc/sudoers.d.
>>>>>>> I have already shown that my name is not in /etc/sudoers
>>>>>>> and
>>>>>>> /etc/sudoers.d/ is virtually empty:
>>>>>>> rowland at devstation:~$ ls /etc/sudoers.d
>>>>>>> README
>>>>>>> But I can use sudo.
>>>>>>> Rowland
>>>>>> Indeed you did, but you did not show the /etc/sudoers file. I
>>>>>> would
>>>>>> expect it to contain a line that allows a group you are
>>>>>> member of
>>>>>> to
>>>>>> provide you root access.
>>>>> Believe me it doesn't
>>>>>> If you want to see sudo-rules that are matching for your user
>>>>>> you
>>>>>> can
>>>>>> do
>>>>>> sudo -l from your user.
>>>>> Here you are:
>>>>> rowland at devstation:~$ sudo -l
>>>>> [sudo] password for rowland:
>>>>> Matching Defaults entries for rowland on devstation:
>>>>> !env_reset, mail_badpass,
>>>>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bi
>>>>> n\:/
>>>>> sbin
>>>>> \:/bin, env_reset, mail_badpass,
>>>>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/
>>>>> usr/b
>>>>> in\:/
>>>>> sbin\:/bin
>>>>> User rowland may run the following commands on devstation:
>>>>> (ALL : ALL) ALL
>>>>> Would it help if I told you that I do this on all my Unix
>>>>> domain
>>>>> members and DC's without modifying any sudo files ?
>>>>> Rowland
>>>> The one thing I see here is that there is indeed a sudo-rule that
>>>> allows
>>>> you full root access given you enter your password.
>>>> The output does not show on what basis you get this rule "(ALL :
>>>> ALL)
>>>> ALL" assigned.
>>>> I am certain that I do not see that on my machines when I am not
>>>> in
>>>> the
>>>> group "sudo".
>>>> The sudo -l output on for my user (which is member of group sudo)
>>>> is:
>>>> kvv at bach:~$ sudo -l
>>>> [sudo] wachtwoord voor kvv:
>>>> Overeenkomende standaarditems voor kvv op bach:
>>>> env_reset, mail_badpass,
>>>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\
>>>> :/sb
>>>> in\:/bin
>>>> Gebruiker kvv mag de volgende opdrachten uitvoeren op bach:
>>>> (ALL : ALL) ALL
>>>> When comparing the output, I noticed in yours "matching default
>>>> items"
>>>> are listed twice. Again no clue how it got there.
>>> Yes I noticed that, but it doesn't affect sudo-ldap hint hint
>>> I must log a sudo bug
>>> Rowland
>> Hi Rowland,
>> Usually you are quick and acurate in your responses, which I really
>> appreciate.
>> In the last few messages you are playing hide and seek with me. You
>> did
>> not show the crucial part of your configuration (/etc/sudoers) and
>> until
>> the last message you did not talk about the fact you are using
>> sudo-ldap. Why is this necessary, are we not here to help each other?
>> I have no doubts that there are more ways to solve a problem and all
>> of
>> them have their specific pros and cons.
>> The reason I am using pam_script is because it provides me with a
>> generic solution for all applications that can work with local
>> authorization groups. One solution for many applications is a big
>> time
>> saver. The next reason is that it also works in offline or off-
>> network
>> logins, i.e. when ldap/samba-dc is not reachable. Although that
>> could
>> probably be overcome with nscd or lscd, again more than one solution
>> to
>> get it done.
>> Still I am interested to learn how you did the sudo-ldap setup,
>> perhaps
>> there are advantages that I overlooked.
>> Then again what about other applications authorization groups? I
>> used
>> the example of libvirtd but pam_scripts also manages wireshark,
>> sshd,
>> kvm, docker, audio,video, dialout, cdrom, floppy, lpadmin, plugdev,
>> bluetooth, netdev, pulse-access, users on my machines?
>> - Kees
> Yes, I use sudo-ldap with the sudo rules in AD. What I was trying to
> point out, was that winbind can do just about everything that the
> program I will not mention, can. The big problem was GPO's and David
> Mulder is working on closing that hole.
> I repeat what I have being saying for a long time, you do not need that
> program that I will not mention. If you think you do, then good luck to
> you, just do not expect me to help you with it, as I don't use it any
> more and haven't for years
> Rowland
Hi Roland,

The pam_script solution has no relation with winbind or sssd. It solves 
the problem with local authorization groups and it works in offline mode 
(important for laptops). If there is a better way do achieve this, I am 
really interested.

Since winbind has issues with offline mode, it I cannot use it 
exclusively (that's where and why sssd comes into play). When a machine 
is offline, it just hangs on user or group lookups although Louis and 
you both confirmed in this list that I have a proper config on multiple 

- Kees.

More information about the samba mailing list