[Samba] Reported group membership is different between domain member and Samba ADC

John R. Graham john at graham-family.org
Fri Feb 14 15:51:57 UTC 2025 

I was experimenting with centralized administration of Linux 
administrative privileges, so I created the group. (I have to assume 
that there's nothing fundamentally wrong with creating a domain group 
for some special purpose.) I then added to /etc/sudoers:

     %SAMDOM\\wheel ALL=(ALL:ALL) ALL

and to /etc/pam.d/su

     auth        required    pam_wheel.so use_uid group=SAMDOM\wheel

With those changes the domain members seem to honor the domain group to 
allow sudo and su, but the ADC does not, presumably because the 
effective group membership is different. Now, if you were to argue that 
I don't need a new group, that I should be using "Administrators" or 
"Domain Admins" instead, then I'd accept that criticism. I just thought 
that "wheel" was a more *nix -flavored name. And certainly the effective 
domain user domain group membership shouldn't be different when viewed 
on different domain member machines, should it?

- John

On 2/14/25 10:36, Rowland Penny via samba wrote:
> On Fri, 14 Feb 2025 10:03:33 -0500
> "John R. Graham via samba" <samba at lists.samba.org> wrote:
>
>> On my Linux domain members, group membership for my domain login is
>> reported as:
>>
>>       terra #  id SAMDOM\\jgraham
>>       uid=11105(SAMDOM\jgraham) gid=10513(SAMDOM\domain users)
>> groups=10513(SAMDOM\domain
>> users),11105(SAMDOM\jgraham),11120(SAMDOM\wheel),3001(BUILTIN\users)
>>
>> (I filtered local groups to make the output less noisy.) But on the
>> ADC the same command give different results:
>>
>>       dc1 # id SAMDOM\\jgraham
>>       uid=11105(SAMDOM\jgraham) gid=10513(SAMDOM\domain users)
>> groups=10513(SAMDOM\domain users),3000020,3000006(BUILTIN\users)
>>
>> The difference that's causing me an issue right now is the missing
>> membership in the domain "wheel" group. How would I go about
>> troubleshooting this?
>>
>> - John
> The real question here is:
>
> Why do you need a group called wheel ?
>
> There isn't one in AD by default, nor on Debian, but redhat uses it,
> but it is a local group and shouldn't be in AD.
>
> Rowland
>
>

More information about the samba mailing list