FreeBSD Mail Archives

Date:      Wed, 12 Jan 2011 16:53:33 +1030
From:      Robert Archer <archerra@cs.unisa.edu.au>
To:        freebsd-questions@freebsd.org
Subject:   Sudo 1.7.4 and AD groups
Message-ID:  <DD28463E-8E05-4A4D-A360-2C575D78ACDB@cs.unisa.edu.au>

index | next in thread | raw e-mail


Hi FreeBSD Folks,

I'm using Samba 3.5.6 to authenticate logins and manage access on FreeBSD 8.1.

With Sudo 1.7.2, I was able to use Active Directory groups in sudoers(5), but
this doesn't seem to work in 1.7.4.

Versions:

  $ uname -a
  FreeBSD cis-mvl.ml.unisa.edu.au 8.1-RELEASE-p2 FreeBSD 8.1-RELEASE-p2 #0: Tue Jan 11 06:03:08 CST 2011     root@cis-freebsd.ml.unisa.edu.au:/export/build/obj/export/build/src/sys/VMWARE  amd64
  $ sudo -V
  Sudo version 1.7.4p4
  $ winbindd -V
  Version 3.5.6

/etc/nsswitch.conf:

  group:          files winbind
  hosts:          files dns
  networks:       files
  passwd:         files winbind
  protocols:      files
  rpc:            files
  services:       files
  shells:         files

/usr/local/etc/pam.d/sudo:

  auth            sufficient      /usr/local/lib/pam_winbind.so   try_first_pass
  auth            include         system
  account         include         system
  session         required        pam_permit.so
  password        include         system

/usr/local/etc/sudoers:

  Defaults                env_keep        += "EDITOR FTP_PASSIVE_MODE HOME PAGER"
  Defaults                insults
  Defaults                shell_noargs
  Defaults                syslog          = auth
  Defaults                !tty_tickets
  
  root                    ALL             = (ALL) ALL
  %wheel                  ALL             = (ALL) ALL
  %cis-sambagroupname     ALL             = (ALL) ALL

Using version 1.7.2:

  $ /mnt/usr/local/bin/sudo -V
  Sudo version 1.7.2p6
  $ /mnt/usr/local/bin/sudo -l
  Password: 
  Matching Defaults entries for cis-username on this host:
      env_keep+="EDITOR FTP_PASSIVE_MODE HOME PAGER", insults, shell_noargs, syslog=auth, !tty_tickets

  User cis-username may run the following commands on this host:
      (ALL) ALL

Using version 1.7.4:

  $ sudo -V
  Sudo version 1.7.4p4
  $ sudo -l
  Password: 
  Sorry, user cis-username may not run sudo on cis-mvl.

The group looks correct:

  $ getent group cis-sambagroupname 
  cis-sambagroupname:x:169013:cis-XXXXXXXX,iee-XXXXXX,cis-XXXXXXXX,cis-username,cis-XXXXXXX,cis-XXXXXX

And if I add my username to sudoers(5), it works fine.

Any suggestions?

Thanks
Rob.

help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DD28463E-8E05-4A4D-A360-2C575D78ACDB>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation