From owner-freebsd-questions@FreeBSD.ORG  Wed Jan 12 06:34:38 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 279E2106564A
	for <freebsd-questions@freebsd.org>;
	Wed, 12 Jan 2011 06:34:38 +0000 (UTC)
	(envelope-from archerra@cs.unisa.edu.au)
Received: from reason.ml.unisa.edu.au (reason.ml.unisa.edu.au
	[130.220.164.145])
	by mx1.freebsd.org (Postfix) with ESMTP id 8E3C58FC08
	for <freebsd-questions@freebsd.org>;
	Wed, 12 Jan 2011 06:34:37 +0000 (UTC)
Received: from cis-mail.ml.unisa.edu.au (cis-mail.ml.unisa.edu.au
	[130.220.236.63])
	by reason.ml.unisa.edu.au (8.12.10/8.12.10) with ESMTP id
	p0C6NZUn008693 for <freebsd-questions@freebsd.org>;
	Wed, 12 Jan 2011 16:53:35 +1030 (CST)
Received: from cis234393.ml.unisa.edu.au (cis234393.ml.unisa.edu.au
	[10.220.94.204]) (authenticated bits=0)
	by cis-mail.ml.unisa.edu.au (8.14.4/8.14.4) with ESMTP id
	p0C6NXjd095494
	(version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO)
	for <freebsd-questions@freebsd.org>;
	Wed, 12 Jan 2011 16:53:34 +1030 (CST)
	(envelope-from archerra@cs.unisa.edu.au)
From: Robert Archer <archerra@cs.unisa.edu.au>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Wed, 12 Jan 2011 16:53:33 +1030
Message-Id: <DD28463E-8E05-4A4D-A360-2C575D78ACDB@cs.unisa.edu.au>
To: freebsd-questions@freebsd.org
Mime-Version: 1.0 (Apple Message framework v1082)
X-Mailer: Apple Mail (2.1082)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2
	(reason.ml.unisa.edu.au [130.220.164.145]);
	Wed, 12 Jan 2011 16:53:35 +1030 (CST)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0
	(cis-mail.ml.unisa.edu.au [130.220.236.63]);
	Wed, 12 Jan 2011 16:53:35 +1030 (CST)
Subject: Sudo 1.7.4 and AD groups
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jan 2011 06:34:38 -0000

Hi FreeBSD Folks,

I'm using Samba 3.5.6 to authenticate logins and manage access on =
FreeBSD 8.1.

With Sudo 1.7.2, I was able to use Active Directory groups in =
sudoers(5), but
this doesn't seem to work in 1.7.4.

Versions:

  $ uname -a
  FreeBSD cis-mvl.ml.unisa.edu.au 8.1-RELEASE-p2 FreeBSD 8.1-RELEASE-p2 =
#0: Tue Jan 11 06:03:08 CST 2011     =
root@cis-freebsd.ml.unisa.edu.au:/export/build/obj/export/build/src/sys/VM=
WARE  amd64
  $ sudo -V
  Sudo version 1.7.4p4
  $ winbindd -V
  Version 3.5.6

/etc/nsswitch.conf:

  group:          files winbind
  hosts:          files dns
  networks:       files
  passwd:         files winbind
  protocols:      files
  rpc:            files
  services:       files
  shells:         files

/usr/local/etc/pam.d/sudo:

  auth            sufficient      /usr/local/lib/pam_winbind.so   =
try_first_pass
  auth            include         system
  account         include         system
  session         required        pam_permit.so
  password        include         system

/usr/local/etc/sudoers:

  Defaults                env_keep        +=3D "EDITOR FTP_PASSIVE_MODE =
HOME PAGER"
  Defaults                insults
  Defaults                shell_noargs
  Defaults                syslog          =3D auth
  Defaults                !tty_tickets
 =20
  root                    ALL             =3D (ALL) ALL
  %wheel                  ALL             =3D (ALL) ALL
  %cis-sambagroupname     ALL             =3D (ALL) ALL

Using version 1.7.2:

  $ /mnt/usr/local/bin/sudo -V
  Sudo version 1.7.2p6
  $ /mnt/usr/local/bin/sudo -l
  Password:=20
  Matching Defaults entries for cis-username on this host:
      env_keep+=3D"EDITOR FTP_PASSIVE_MODE HOME PAGER", insults, =
shell_noargs, syslog=3Dauth, !tty_tickets

  User cis-username may run the following commands on this host:
      (ALL) ALL

Using version 1.7.4:

  $ sudo -V
  Sudo version 1.7.4p4
  $ sudo -l
  Password:=20
  Sorry, user cis-username may not run sudo on cis-mvl.

The group looks correct:

  $ getent group cis-sambagroupname=20
  =
cis-sambagroupname:x:169013:cis-XXXXXXXX,iee-XXXXXX,cis-XXXXXXXX,cis-usern=
ame,cis-XXXXXXX,cis-XXXXXX

And if I add my username to sudoers(5), it works fine.

Any suggestions?

Thanks
Rob.