[Samba] nested groups not working with sudo and winbind - Samba

This is a discussion on [Samba] nested groups not working with sudo and winbind - Samba ; Howdy folks, I'm having an issue with sudo not recognizing nested groups via AD and winbind. I have an AD group called UnixAdmins and when I ad and AD account *directly* into this group, I am able to use sudo ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: [Samba] nested groups not working with sudo and winbind

  1. [Samba] nested groups not working with sudo and winbind

    Howdy folks,

    I'm having an issue with sudo not recognizing nested groups
    via AD and winbind. I have an AD group called UnixAdmins and
    when I ad and AD account *directly* into this group, I am able
    to use sudo just fine as it is in the sudoers. *but* say I
    have a nested group in UnixAdmins like CustomerUsers or whatnot
    it won't recognize. Now, I also restrict access via pam.d systems-auth
    to UnixAdmins, so I know that part it working. Also, when I run
    and "id" it shows the proper groups. It's just seems sudo won't
    recognize the nested groups :-(

    Anyone run into this issue before? It's gonna be an admin nightmare
    just to populate UnixAdmins with individual accounts ..

    Glenn E. Bailey III
    terremark worldwide
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] nested groups not working with sudo and winbind

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Glenn Bailey wrote:
    > Howdy folks,
    >
    > I'm having an issue with sudo not recognizing nested groups
    > via AD and winbind. I have an AD group called UnixAdmins and
    > when I ad and AD account *directly* into this group, I am able
    > to use sudo just fine as it is in the sudoers. *but* say I
    > have a nested group in UnixAdmins like CustomerUsers or whatnot
    > it won't recognize. Now, I also restrict access via pam.d systems-auth
    > to UnixAdmins, so I know that part it working. Also, when I run
    > and "id" it shows the proper groups. It's just seems sudo won't
    > recognize the nested groups :-(
    >
    > Anyone run into this issue before? It's gonna be an admin nightmare
    > just to populate UnixAdmins with individual accounts ..


    This was fixed in the upcoming 3.2 release. See the
    "winbind expand groups" option.





    cheers, jerry
    - --
    ================================================== ===================
    Samba ------- http://www.samba.org
    Likewise Software --------- http://www.likewisesoftware.com
    "What man is a man who does not make the world better?" --Balian
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFID4KqIR7qMdg1EfYRAgt2AJ93S4Ui1BCaODky99o5QO j9YHUE9gCg4fVD
    w69AwDShdPp6xQGFeZmTUSA=
    =Nu+h
    -----END PGP SIGNATURE-----
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] nested groups not working with sudo and winbind

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Glenn Bailey wrote:
    |>> I'm having an issue with sudo not recognizing nested groups via AD and
    |>> winbind. I have an AD group called UnixAdmins and when I ad and AD
    |>> account *directly* into this group, I am able to use sudo just fine as
    |>> it is in the sudoers. *but* say I have a nested group in UnixAdmins
    |>> like CustomerUsers or whatnot it won't recognize. Now, I also restrict
    |>> access via pam.d systems-auth to UnixAdmins, so I know that part it
    |>> working. Also, when I run and "id" it shows the proper groups. It's
    |>> just seems sudo won't recognize the nested groups :-(
    |>>
    |>> Anyone run into this issue before? It's gonna be an admin nightmare
    |>> just to populate UnixAdmins with individual accounts ..
    |
    |> This was fixed in the upcoming 3.2 release. See the "winbind expand
    groups" option.
    |
    | is there anyway to patch 3.0.28a to allow for this? or
    | any kind of workaround?

    Not officially. Are you running a file server? Or just using
    Winbind to authenticate logons? I originally did the work
    in Likewise's Winbind tree and pushed it upstream. So
    it has been shipping in Likewise Open [1] for a while.


    [1] http://www.likewisesoftware.com/community/


    cheers, jerry
    - --
    ================================================== ===================
    Samba ------- http://www.samba.org
    Likewise Software --------- http://www.likewisesoftware.com
    "What man is a man who does not make the world better?" --Balian
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2.2 (Darwin)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFIEITKIR7qMdg1EfYRArWoAJ46Dit2T0nwcYwzs9aiZA wrP5bb9QCfQJyS
    ZznswpSiZQkmjPy2fA+CrNQ=
    =72M+
    -----END PGP SIGNATURE-----
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread