Sudo 1.7.4 and AD groups
Robert Archer
archerra at cs.unisa.edu.au
Wed Jan 12 06:34:38 UTC 2011
Hi FreeBSD Folks,
I'm using Samba 3.5.6 to authenticate logins and manage access on FreeBSD 8.1.
With Sudo 1.7.2, I was able to use Active Directory groups in sudoers(5), but
this doesn't seem to work in 1.7.4.
Versions:
$ uname -a
FreeBSD cis-mvl.ml.unisa.edu.au 8.1-RELEASE-p2 FreeBSD 8.1-RELEASE-p2 #0: Tue Jan 11 06:03:08 CST 2011 root at cis-freebsd.ml.unisa.edu.au:/export/build/obj/export/build/src/sys/VMWARE amd64
$ sudo -V
Sudo version 1.7.4p4
$ winbindd -V
Version 3.5.6
/etc/nsswitch.conf:
group: files winbind
hosts: files dns
networks: files
passwd: files winbind
protocols: files
rpc: files
services: files
shells: files
/usr/local/etc/pam.d/sudo:
auth sufficient /usr/local/lib/pam_winbind.so try_first_pass
auth include system
account include system
session required pam_permit.so
password include system
/usr/local/etc/sudoers:
Defaults env_keep += "EDITOR FTP_PASSIVE_MODE HOME PAGER"
Defaults insults
Defaults shell_noargs
Defaults syslog = auth
Defaults !tty_tickets
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
%cis-sambagroupname ALL = (ALL) ALL
Using version 1.7.2:
$ /mnt/usr/local/bin/sudo -V
Sudo version 1.7.2p6
$ /mnt/usr/local/bin/sudo -l
Password:
Matching Defaults entries for cis-username on this host:
env_keep+="EDITOR FTP_PASSIVE_MODE HOME PAGER", insults, shell_noargs, syslog=auth, !tty_tickets
User cis-username may run the following commands on this host:
(ALL) ALL
Using version 1.7.4:
$ sudo -V
Sudo version 1.7.4p4
$ sudo -l
Password:
Sorry, user cis-username may not run sudo on cis-mvl.
The group looks correct:
$ getent group cis-sambagroupname
cis-sambagroupname:x:169013:cis-XXXXXXXX,iee-XXXXXX,cis-XXXXXXXX,cis-username,cis-XXXXXXX,cis-XXXXXX
And if I add my username to sudoers(5), it works fine.
Any suggestions?
Thanks
Rob.
More information about the freebsd-questions
mailing list