Kees van Vloten
2021-Oct-04 16:42 UTC
[Samba] Fwd: Fwd: Winbind and GPO access restrictions?
On 04-10-2021 17:39, Rowland Penny via samba wrote:> On Mon, 2021-10-04 at 13:10 +0200, Kees van Vloten via samba wrote: >> On 02-10-2021 22:50, Rowland Penny via samba wrote: >>> On Sat, 2021-10-02 at 22:46 +0200, Kees van Vloten wrote: >>>> On 02-10-2021 22:16, Rowland Penny via samba wrote: >>>>> On Sat, 2021-10-02 at 22:05 +0200, Kees van Vloten via samba >>>>> wrote: >>>>>> On 02-10-2021 21:58, Rowland Penny via samba wrote: >>>>>>> On Sat, 2021-10-02 at 21:51 +0200, Kees van Vloten via >>>>>>> samba >>>>>>> wrote: >>>>>>>> I don't know what you have in /etc/sudoers or >>>>>>>> /etc/sudoers.d. >>>>>>> I have already shown that my name is not in /etc/sudoers >>>>>>> and >>>>>>> /etc/sudoers.d/ is virtually empty: >>>>>>> >>>>>>> rowland at devstation:~$ ls /etc/sudoers.d >>>>>>> README >>>>>>> >>>>>>> But I can use sudo. >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>>> >>>>>>> >>>>>> Indeed you did, but you did not show the /etc/sudoers file. I >>>>>> would >>>>>> expect it to contain a line that allows a group you are >>>>>> member of >>>>>> to >>>>>> provide you root access. >>>>> Believe me it doesn't >>>>> >>>>> >>>>> >>>>>> If you want to see sudo-rules that are matching for your user >>>>>> you >>>>>> can >>>>>> do >>>>>> sudo -l from your user. >>>>> Here you are: >>>>> >>>>> rowland at devstation:~$ sudo -l >>>>> [sudo] password for rowland: >>>>> Matching Defaults entries for rowland on devstation: >>>>> !env_reset, mail_badpass, >>>>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bi >>>>> n\:/ >>>>> sbin >>>>> \:/bin, env_reset, mail_badpass, >>>>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/ >>>>> usr/b >>>>> in\:/ >>>>> sbin\:/bin >>>>> >>>>> User rowland may run the following commands on devstation: >>>>> (ALL : ALL) ALL >>>>> >>>>> Would it help if I told you that I do this on all my Unix >>>>> domain >>>>> members and DC's without modifying any sudo files ? >>>>> >>>>> Rowland >>>>> >>>>> >>>>> >>>> The one thing I see here is that there is indeed a sudo-rule that >>>> allows >>>> you full root access given you enter your password. >>>> The output does not show on what basis you get this rule "(ALL : >>>> ALL) >>>> ALL" assigned. >>>> I am certain that I do not see that on my machines when I am not >>>> in >>>> the >>>> group "sudo". >>>> >>>> The sudo -l output on for my user (which is member of group sudo) >>>> is: >>>> >>>> kvv at bach:~$ sudo -l >>>> [sudo] wachtwoord voor kvv: >>>> Overeenkomende standaarditems voor kvv op bach: >>>> env_reset, mail_badpass, >>>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\ >>>> :/sb >>>> in\:/bin >>>> >>>> Gebruiker kvv mag de volgende opdrachten uitvoeren op bach: >>>> (ALL : ALL) ALL >>>> >>>> When comparing the output, I noticed in yours "matching default >>>> items" >>>> are listed twice. Again no clue how it got there. >>> Yes I noticed that, but it doesn't affect sudo-ldap hint hint >>> >>> I must log a sudo bug >>> >>> Rowland >>> >>> >>> >> Hi Rowland, >> >> Usually you are quick and acurate in your responses, which I really >> appreciate. >> In the last few messages you are playing hide and seek with me. You >> did >> not show the crucial part of your configuration (/etc/sudoers) and >> until >> the last message you did not talk about the fact you are using >> sudo-ldap. Why is this necessary, are we not here to help each other? >> >> I have no doubts that there are more ways to solve a problem and all >> of >> them have their specific pros and cons. >> >> The reason I am using pam_script is because it provides me with a >> generic solution for all applications that can work with local >> authorization groups. One solution for many applications is a big >> time >> saver. The next reason is that it also works in offline or off- >> network >> logins, i.e. when ldap/samba-dc is not reachable. Although that >> could >> probably be overcome with nscd or lscd, again more than one solution >> to >> get it done. >> >> Still I am interested to learn how you did the sudo-ldap setup, >> perhaps >> there are advantages that I overlooked. >> Then again what about other applications authorization groups? I >> used >> the example of libvirtd but pam_scripts also manages wireshark, >> sshd, >> kvm, docker, audio,video, dialout, cdrom, floppy, lpadmin, plugdev, >> bluetooth, netdev, pulse-access, users on my machines? >> >> - Kees >> > Yes, I use sudo-ldap with the sudo rules in AD. What I was trying to > point out, was that winbind can do just about everything that the > program I will not mention, can. The big problem was GPO's and David > Mulder is working on closing that hole. > > I repeat what I have being saying for a long time, you do not need that > program that I will not mention. If you think you do, then good luck to > you, just do not expect me to help you with it, as I don't use it any > more and haven't for years > > Rowland > > >Hi Roland, The pam_script solution has no relation with winbind or sssd. It solves the problem with local authorization groups and it works in offline mode (important for laptops). If there is a better way do achieve this, I am really interested. Since winbind has issues with offline mode, it I cannot use it exclusively (that's where and why sssd comes into play). When a machine is offline, it just hangs on user or group lookups although Louis and you both confirmed in this list that I have a proper config on multiple occasions. - Kees.