Has anyone here managed to get sudo working with Samba 4 AD users, using either ldap or sssd, with sssd preferred? If so, can you please point me in the direction of whatever instructions you used? It seems like there are a bunch of tutorials on the subject, each with different, and sometimes conflicting, information but none of those I've tried work for me. regards, John
Hai John, Just give your group and GID and your users who login an UID, and sudo should work. Im using samba/winbind on debian jessie. What i did, just a : adduser username sudo Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens John Gardeniers > Verzonden: woensdag 20 april 2016 6:18 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba 4 sudoers > > Has anyone here managed to get sudo working with Samba 4 AD users, using > either ldap or sssd, with sssd preferred? If so, can you please point me > in the direction of whatever instructions you used? It seems like there > are a bunch of tutorials on the subject, each with different, and > sometimes conflicting, information but none of those I've tried work for > me. > > regards, > John > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hi, Basically, you just need to get your users available on your system. (either via winbind, or sssd) Once they are available, you can add them to sudoers just like 'normal' users. (because that's basically what they have become then) Works for us. MJ On 04/20/2016 06:18 AM, John Gardeniers wrote:> Has anyone here managed to get sudo working with Samba 4 AD users, using > either ldap or sssd, with sssd preferred? If so, can you please point me > in the direction of whatever instructions you used? It seems like there > are a bunch of tutorials on the subject, each with different, and > sometimes conflicting, information but none of those I've tried work for > me. > > regards, > John > >
Thanks Louis but that's not quite what we're trying to achieve. We want to manage sudo permissions from within AD itself, rather than on each client machine. regards, John On 20/04/16 16:41, L.P.H. van Belle wrote:> Hai John, > > Just give your group and GID and your users who login an UID, and sudo should work. Im using samba/winbind on debian jessie. > > What i did, just a : adduser username sudo > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens John Gardeniers >> Verzonden: woensdag 20 april 2016 6:18 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] Samba 4 sudoers >> >> Has anyone here managed to get sudo working with Samba 4 AD users, using >> either ldap or sssd, with sssd preferred? If so, can you please point me >> in the direction of whatever instructions you used? It seems like there >> are a bunch of tutorials on the subject, each with different, and >> sometimes conflicting, information but none of those I've tried work for >> me. >> >> regards, >> John >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >
Thanks but it appears I wasn't anywhere near clear enough. We're trying to manage sudo permissions from AD, not the clients. After all, the purpose of a domain is to centralise management. regards, John On 20/04/16 17:12, mj wrote:> Hi, > > Basically, you just need to get your users available on your system. > (either via winbind, or sssd) > > Once they are available, you can add them to sudoers just like > 'normal' users. (because that's basically what they have become then) > > Works for us. > > MJ > On 04/20/2016 06:18 AM, John Gardeniers wrote: >> Has anyone here managed to get sudo working with Samba 4 AD users, using >> either ldap or sssd, with sssd preferred? If so, can you please point me >> in the direction of whatever instructions you used? It seems like there >> are a bunch of tutorials on the subject, each with different, and >> sometimes conflicting, information but none of those I've tried work for >> me. >> >> regards, >> John >> >> >
Good news, I now have this working. Once I finish writing my notes I'll make them available to whoever might want them. Just to clarify things a bit, here is what we have and what we wanted: * Linux users are authenticated by the Samba 4 domain controllers via SSSD, which itself uses LDAP. * As we are a development house, we have a rather complex set of users/groups/permissions on the numerous servers. We wanted to manage this centrally via Active Directory, without touching the sudoers file on the Linux side. * As of now, on a test domain which is functionally a replica of our production domain, we are able to manage sudo permissions on our AD users and groups via a combination of ADSI Edit and ADUC. ADSI Edit is used only to create a new rule, which we then edit in ADUC. As I am the only member of our team who has ever dealt with Active Directory before we are looking for any GUI tool which can make this a bit more intuitive, as the native Linux speakers aren't overly comfortable with the aforementioned tools. If you know of any we'd like to know. A bit more testing and we can copy this to production. :) regards, John On 20/04/16 14:18, John Gardeniers wrote:> Has anyone here managed to get sudo working with Samba 4 AD users, > using either ldap or sssd, with sssd preferred? If so, can you please > point me in the direction of whatever instructions you used? It seems > like there are a bunch of tutorials on the subject, each with > different, and sometimes conflicting, information but none of those > I've tried work for me. > > regards, > John > >
Hai John, Well yeah, im always up in to new things.. :-) And thanks in advance for shareing your config. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens John Gardeniers > Verzonden: donderdag 21 april 2016 7:40 > Aan: samba at lists.samba.org > Onderwerp: [Samba] [Solved] Samba 4 sudoers > > Good news, I now have this working. Once I finish writing my notes I'll > make them available to whoever might want them. Just to clarify things a > bit, here is what we have and what we wanted: > > * Linux users are authenticated by the Samba 4 domain controllers via > SSSD, which itself uses LDAP. > * As we are a development house, we have a rather complex set of > users/groups/permissions on the numerous servers. We wanted to manage > this centrally via Active Directory, without touching the sudoers file > on the Linux side. > * As of now, on a test domain which is functionally a replica of our > production domain, we are able to manage sudo permissions on our AD > users and groups via a combination of ADSI Edit and ADUC. > > ADSI Edit is used only to create a new rule, which we then edit in ADUC. > As I am the only member of our team who has ever dealt with Active > Directory before we are looking for any GUI tool which can make this a > bit more intuitive, as the native Linux speakers aren't overly > comfortable with the aforementioned tools. If you know of any we'd like > to know. > > A bit more testing and we can copy this to production. :) > > regards, > John > > > On 20/04/16 14:18, John Gardeniers wrote: > > Has anyone here managed to get sudo working with Samba 4 AD users, > > using either ldap or sssd, with sssd preferred? If so, can you please > > point me in the direction of whatever instructions you used? It seems > > like there are a bunch of tutorials on the subject, each with > > different, and sometimes conflicting, information but none of those > > I've tried work for me. > > > > regards, > > John > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 21/04/16 06:40, John Gardeniers wrote:> Good news, I now have this working. Once I finish writing my notes > I'll make them available to whoever might want them. Just to clarify > things a bit, here is what we have and what we wanted: > > * Linux users are authenticated by the Samba 4 domain controllers via > SSSD, which itself uses LDAP. > * As we are a development house, we have a rather complex set of > users/groups/permissions on the numerous servers. We wanted to manage > this centrally via Active Directory, without touching the sudoers file > on the Linux side. > * As of now, on a test domain which is functionally a replica of our > production domain, we are able to manage sudo permissions on our AD > users and groups via a combination of ADSI Edit and ADUC. > > ADSI Edit is used only to create a new rule, which we then edit in > ADUC. As I am the only member of our team who has ever dealt with > Active Directory before we are looking for any GUI tool which can make > this a bit more intuitive, as the native Linux speakers aren't overly > comfortable with the aforementioned tools. If you know of any we'd > like to know. > > A bit more testing and we can copy this to production. :) > > regards, > John > > > On 20/04/16 14:18, John Gardeniers wrote: >> Has anyone here managed to get sudo working with Samba 4 AD users, >> using either ldap or sssd, with sssd preferred? If so, can you please >> point me in the direction of whatever instructions you used? It seems >> like there are a bunch of tutorials on the subject, each with >> different, and sometimes conflicting, information but none of those >> I've tried work for me. >> >> regards, >> John >> >> > >I had this working some time ago, when I thought the only way was sssd and yes it would be nice to have a GUI, but I don't know of one. I have been working on getting sudo to work with winbind and am struggling a bit at the moment, not with sudo and AD, but with k5start. I need this to make sure there is a ticket for the user that reads the sudo rules in AD, only problem, k5start doesn't seem to want to start at boot :-) Rowland
On Thu, 21 Apr 2016, John Gardeniers wrote:> Good news, I now have this working. Once I finish writing my notes I'll make > them available to whoever might want them.Good to hear. I tried to get his working by following some of the online docs and the sudoers docs, and never did get it to work. It'd be great if someone could put this up on the Samba wiki when it's published too.
On Thu, 2016-04-21 at 15:40 +1000, John Gardeniers wrote:> Good news, I now have this working. Once I finish writing my notes > I'll > make them available to whoever might want them. Just to clarify > things a > bit, here is what we have and what we wanted: > > * Linux users are authenticated by the Samba 4 domain controllers via > SSSD, which itself uses LDAP. > * As we are a development house, we have a rather complex set of > users/groups/permissions on the numerous servers. We wanted to manage > this centrally via Active Directory, without touching the sudoers > file > on the Linux side. > * As of now, on a test domain which is functionally a replica of our > production domain, we are able to manage sudo permissions on our AD > users and groups via a combination of ADSI Edit and ADUC. > > ADSI Edit is used only to create a new rule, which we then edit in > ADUC. > As I am the only member of our team who has ever dealt with Active > Directory before we are looking for any GUI tool which can make this > a > bit more intuitive, as the native Linux speakers aren't overly > comfortable with the aforementioned tools. If you know of any we'd > like > to know. > > A bit more testing and we can copy this to production. :) > > regards, > JohnMake sure to use Samba 4.4 to avoid very strange replication bugs with the custom schema. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba