"id" alone does not show my user in the it group "id username" does why would id alone give different results? which is odd because as my username I can get into a folder that has 0760 permissions with user as root and it as the group as for %it ALL=(ALL) ALL instead of: %it ALL=(ALL:ALL) ALL seems to work the same On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy < mattiasz at thinklogical.com> wrote:> Jeff, > > After the ssh did you run "id" command to verify that your account belongs > to the "it" group on the remote system? > > Did you try: > %it ALL=(ALL) ALL > instead of: > %it ALL=(ALL:ALL) ALL > > Regards, > Matt > > ________________________________________ > From: samba <samba-bounces at lists.samba.org> on behalf of Jeff Sadowski < > jeff.sadowski at gmail.com> > Sent: Monday, December 7, 2015 2:56 PM > To: samba > Subject: [Samba] Adding an AD group to /etc/sudoers? > > I can't seem to get this working and here is what I have done so far. > I am using samba 4.1.6 > > my /etc/samba/smb.conf looks like so > > security = ads > realm = DOMAIN.LONG > workgroup = DOMAIN > idmap config * : backend = tdb > idmap config * : range = 2000-7999 > idmap config DOMAIN:backend = ad > idmap config DOMAIN:range = 8000-9999999 > idmap config DOMAIN:schema_mode = rfc2307 > winbind nss info = rfc2307 > winbind use default domain = yes > winbind nested groups=yes > # so that the users show up in getent > winbind enum users = Yes > # doesn't seem to do the same for groups :-/ > winbind enum groups = Yes > restrict anonymous = 2 > > In AD my group it has a gid 8001 > > #getent group it > it:x:8001:myusername,others > > > in /etc/sudoers is the line > %it ALL=(ALL:ALL) ALL > > when I ssh to said machine like so > > ssh myusername at problemhost > > then run a command like so > > > sudo echo > [sudo] password for myusername: > myusername is not in the sudoers file. This incident will be reported. > > I tried adding another line to /etc/sudoers as follows > %DOMAIN\\it ALL=(ALL:ALL) ALL > > and > > %DOMAIN\it ALL=(ALL:ALL) ALL > > but neither of them work either. > > I seem to be able to get into the nfs shares I have group permissions to > but I can not get sudo to work with my AD user group. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
wbinfo -r username shows the gid of it and a bunch of -1's id guess for groups without gid's my user belongs to 155 groups is there a problem with that many groups? On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> "id" alone does not show my user in the it group > "id username" does > why would id alone give different results? > > which is odd because > as my username I can get into a folder that has 0760 permissions with user > as root and it as the group > > as for > %it ALL=(ALL) ALL > instead of: > %it ALL=(ALL:ALL) ALL > > seems to work the same > > > > On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy < > mattiasz at thinklogical.com> wrote: > >> Jeff, >> >> After the ssh did you run "id" command to verify that your account >> belongs to the "it" group on the remote system? >> >> Did you try: >> %it ALL=(ALL) ALL >> instead of: >> %it ALL=(ALL:ALL) ALL >> >> Regards, >> Matt >> >> ________________________________________ >> From: samba <samba-bounces at lists.samba.org> on behalf of Jeff Sadowski < >> jeff.sadowski at gmail.com> >> Sent: Monday, December 7, 2015 2:56 PM >> To: samba >> Subject: [Samba] Adding an AD group to /etc/sudoers? >> >> I can't seem to get this working and here is what I have done so far. >> I am using samba 4.1.6 >> >> my /etc/samba/smb.conf looks like so >> >> security = ads >> realm = DOMAIN.LONG >> workgroup = DOMAIN >> idmap config * : backend = tdb >> idmap config * : range = 2000-7999 >> idmap config DOMAIN:backend = ad >> idmap config DOMAIN:range = 8000-9999999 >> idmap config DOMAIN:schema_mode = rfc2307 >> winbind nss info = rfc2307 >> winbind use default domain = yes >> winbind nested groups=yes >> # so that the users show up in getent >> winbind enum users = Yes >> # doesn't seem to do the same for groups :-/ >> winbind enum groups = Yes >> restrict anonymous = 2 >> >> In AD my group it has a gid 8001 >> >> #getent group it >> it:x:8001:myusername,others >> >> >> in /etc/sudoers is the line >> %it ALL=(ALL:ALL) ALL >> >> when I ssh to said machine like so >> >> ssh myusername at problemhost >> >> then run a command like so >> >> > sudo echo >> [sudo] password for myusername: >> myusername is not in the sudoers file. This incident will be reported. >> >> I tried adding another line to /etc/sudoers as follows >> %DOMAIN\\it ALL=(ALL:ALL) ALL >> >> and >> >> %DOMAIN\it ALL=(ALL:ALL) ALL >> >> but neither of them work either. >> >> I seem to be able to get into the nfs shares I have group permissions to >> but I can not get sudo to work with my AD user group. >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > >
# id username|sed "s/,/\n/g"|wc -l 155 # id|sed "s/,/\n/g"|wc -l 28 On Tue, Dec 8, 2015 at 2:56 PM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> wbinfo -r username > shows the gid of it > and a bunch of -1's id guess for groups without gid's > my user belongs to 155 groups is there a problem with that many groups? > > On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski <jeff.sadowski at gmail.com> > wrote: > >> "id" alone does not show my user in the it group >> "id username" does >> why would id alone give different results? >> >> which is odd because >> as my username I can get into a folder that has 0760 permissions with >> user as root and it as the group >> >> as for >> %it ALL=(ALL) ALL >> instead of: >> %it ALL=(ALL:ALL) ALL >> >> seems to work the same >> >> >> >> On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy < >> mattiasz at thinklogical.com> wrote: >> >>> Jeff, >>> >>> After the ssh did you run "id" command to verify that your account >>> belongs to the "it" group on the remote system? >>> >>> Did you try: >>> %it ALL=(ALL) ALL >>> instead of: >>> %it ALL=(ALL:ALL) ALL >>> >>> Regards, >>> Matt >>> >>> ________________________________________ >>> From: samba <samba-bounces at lists.samba.org> on behalf of Jeff Sadowski < >>> jeff.sadowski at gmail.com> >>> Sent: Monday, December 7, 2015 2:56 PM >>> To: samba >>> Subject: [Samba] Adding an AD group to /etc/sudoers? >>> >>> I can't seem to get this working and here is what I have done so far. >>> I am using samba 4.1.6 >>> >>> my /etc/samba/smb.conf looks like so >>> >>> security = ads >>> realm = DOMAIN.LONG >>> workgroup = DOMAIN >>> idmap config * : backend = tdb >>> idmap config * : range = 2000-7999 >>> idmap config DOMAIN:backend = ad >>> idmap config DOMAIN:range = 8000-9999999 >>> idmap config DOMAIN:schema_mode = rfc2307 >>> winbind nss info = rfc2307 >>> winbind use default domain = yes >>> winbind nested groups=yes >>> # so that the users show up in getent >>> winbind enum users = Yes >>> # doesn't seem to do the same for groups :-/ >>> winbind enum groups = Yes >>> restrict anonymous = 2 >>> >>> In AD my group it has a gid 8001 >>> >>> #getent group it >>> it:x:8001:myusername,others >>> >>> >>> in /etc/sudoers is the line >>> %it ALL=(ALL:ALL) ALL >>> >>> when I ssh to said machine like so >>> >>> ssh myusername at problemhost >>> >>> then run a command like so >>> >>> > sudo echo >>> [sudo] password for myusername: >>> myusername is not in the sudoers file. This incident will be reported. >>> >>> I tried adding another line to /etc/sudoers as follows >>> %DOMAIN\\it ALL=(ALL:ALL) ALL >>> >>> and >>> >>> %DOMAIN\it ALL=(ALL:ALL) ALL >>> >>> but neither of them work either. >>> >>> I seem to be able to get into the nfs shares I have group permissions to >>> but I can not get sudo to work with my AD user group. >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> >> >