Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 12 Jan 2011 16:53:33 +1030
From:      Robert Archer <archerra@cs.unisa.edu.au>
To:        freebsd-questions@freebsd.org
Subject:   Sudo 1.7.4 and AD groups
Message-ID:  <DD28463E-8E05-4A4D-A360-2C575D78ACDB@cs.unisa.edu.au>
next in thread | raw e-mail | index | archive | help 
Hi FreeBSD Folks,

I'm using Samba 3.5.6 to authenticate logins and manage access on =
FreeBSD 8.1.

With Sudo 1.7.2, I was able to use Active Directory groups in =
sudoers(5), but
this doesn't seem to work in 1.7.4.

Versions:

  $ uname -a
  FreeBSD cis-mvl.ml.unisa.edu.au 8.1-RELEASE-p2 FreeBSD 8.1-RELEASE-p2 =
#0: Tue Jan 11 06:03:08 CST 2011     =
root@cis-freebsd.ml.unisa.edu.au:/export/build/obj/export/build/src/sys/VM=
WARE  amd64
  $ sudo -V
  Sudo version 1.7.4p4
  $ winbindd -V
  Version 3.5.6

/etc/nsswitch.conf:

  group:          files winbind
  hosts:          files dns
  networks:       files
  passwd:         files winbind
  protocols:      files
  rpc:            files
  services:       files
  shells:         files

/usr/local/etc/pam.d/sudo:

  auth            sufficient      /usr/local/lib/pam_winbind.so   =
try_first_pass
  auth            include         system
  account         include         system
  session         required        pam_permit.so
  password        include         system

/usr/local/etc/sudoers:

  Defaults                env_keep        +=3D "EDITOR FTP_PASSIVE_MODE =
HOME PAGER"
  Defaults                insults
  Defaults                shell_noargs
  Defaults                syslog          =3D auth
  Defaults                !tty_tickets
 =20
  root                    ALL             =3D (ALL) ALL
  %wheel                  ALL             =3D (ALL) ALL
  %cis-sambagroupname     ALL             =3D (ALL) ALL

Using version 1.7.2:

  $ /mnt/usr/local/bin/sudo -V
  Sudo version 1.7.2p6
  $ /mnt/usr/local/bin/sudo -l
  Password:=20
  Matching Defaults entries for cis-username on this host:
      env_keep+=3D"EDITOR FTP_PASSIVE_MODE HOME PAGER", insults, =
shell_noargs, syslog=3Dauth, !tty_tickets

  User cis-username may run the following commands on this host:
      (ALL) ALL

Using version 1.7.4:

  $ sudo -V
  Sudo version 1.7.4p4
  $ sudo -l
  Password:=20
  Sorry, user cis-username may not run sudo on cis-mvl.

The group looks correct:

  $ getent group cis-sambagroupname=20
  =
cis-sambagroupname:x:169013:cis-XXXXXXXX,iee-XXXXXX,cis-XXXXXXXX,cis-usern=
ame,cis-XXXXXXX,cis-XXXXXX

And if I add my username to sudoers(5), it works fine.

Any suggestions?

Thanks
Rob.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DD28463E-8E05-4A4D-A360-2C575D78ACDB>