# id username|sed "s/,/\n/g"|wc -l 155 # id|sed "s/,/\n/g"|wc -l 28 On Tue, Dec 8, 2015 at 2:56 PM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> wbinfo -r username > shows the gid of it > and a bunch of -1's id guess for groups without gid's > my user belongs to 155 groups is there a problem with that many groups? > > On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski <jeff.sadowski at gmail.com> > wrote: > >> "id" alone does not show my user in the it group >> "id username" does >> why would id alone give different results? >> >> which is odd because >> as my username I can get into a folder that has 0760 permissions with >> user as root and it as the group >> >> as for >> %it ALL=(ALL) ALL >> instead of: >> %it ALL=(ALL:ALL) ALL >> >> seems to work the same >> >> >> >> On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy < >> mattiasz at thinklogical.com> wrote: >> >>> Jeff, >>> >>> After the ssh did you run "id" command to verify that your account >>> belongs to the "it" group on the remote system? >>> >>> Did you try: >>> %it ALL=(ALL) ALL >>> instead of: >>> %it ALL=(ALL:ALL) ALL >>> >>> Regards, >>> Matt >>> >>> ________________________________________ >>> From: samba <samba-bounces at lists.samba.org> on behalf of Jeff Sadowski < >>> jeff.sadowski at gmail.com> >>> Sent: Monday, December 7, 2015 2:56 PM >>> To: samba >>> Subject: [Samba] Adding an AD group to /etc/sudoers? >>> >>> I can't seem to get this working and here is what I have done so far. >>> I am using samba 4.1.6 >>> >>> my /etc/samba/smb.conf looks like so >>> >>> security = ads >>> realm = DOMAIN.LONG >>> workgroup = DOMAIN >>> idmap config * : backend = tdb >>> idmap config * : range = 2000-7999 >>> idmap config DOMAIN:backend = ad >>> idmap config DOMAIN:range = 8000-9999999 >>> idmap config DOMAIN:schema_mode = rfc2307 >>> winbind nss info = rfc2307 >>> winbind use default domain = yes >>> winbind nested groups=yes >>> # so that the users show up in getent >>> winbind enum users = Yes >>> # doesn't seem to do the same for groups :-/ >>> winbind enum groups = Yes >>> restrict anonymous = 2 >>> >>> In AD my group it has a gid 8001 >>> >>> #getent group it >>> it:x:8001:myusername,others >>> >>> >>> in /etc/sudoers is the line >>> %it ALL=(ALL:ALL) ALL >>> >>> when I ssh to said machine like so >>> >>> ssh myusername at problemhost >>> >>> then run a command like so >>> >>> > sudo echo >>> [sudo] password for myusername: >>> myusername is not in the sudoers file. This incident will be reported. >>> >>> I tried adding another line to /etc/sudoers as follows >>> %DOMAIN\\it ALL=(ALL:ALL) ALL >>> >>> and >>> >>> %DOMAIN\it ALL=(ALL:ALL) ALL >>> >>> but neither of them work either. >>> >>> I seem to be able to get into the nfs shares I have group permissions to >>> but I can not get sudo to work with my AD user group. >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> >> >
Jeff, To find out maximum number of groups allowed per user run: cat /proc/sys/kernel/ngroups_max or sysctl kernel.ngroups_max but AFAIK AUTH_SYS has a limit of 16, so I would try to either create a test account, add it to the "it" group and test it with sudo, or trim your account membership to 16 or less groups. Regards, Matt ________________________________ From: Jeff Sadowski <jeff.sadowski at gmail.com> Sent: Tuesday, December 8, 2015 4:59 PM To: Mattias Zhabinskiy; samba Subject: Re: [Samba] Adding an AD group to /etc/sudoers? # id username|sed "s/,/\n/g"|wc -l 155 # id|sed "s/,/\n/g"|wc -l 28 On Tue, Dec 8, 2015 at 2:56 PM, Jeff Sadowski <jeff.sadowski at gmail.com<mailto:jeff.sadowski at gmail.com>> wrote: wbinfo -r username shows the gid of it and a bunch of -1's id guess for groups without gid's my user belongs to 155 groups is there a problem with that many groups? On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski <jeff.sadowski at gmail.com<mailto:jeff.sadowski at gmail.com>> wrote: "id" alone does not show my user in the it group "id username" does why would id alone give different results? which is odd because as my username I can get into a folder that has 0760 permissions with user as root and it as the group as for %it ALL=(ALL) ALL instead of: %it ALL=(ALL:ALL) ALL seems to work the same On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy <mattiasz at thinklogical.com<mailto:mattiasz at thinklogical.com>> wrote: Jeff, After the ssh did you run "id" command to verify that your account belongs to the "it" group on the remote system? Did you try: %it ALL=(ALL) ALL instead of: %it ALL=(ALL:ALL) ALL Regards, Matt ________________________________________ From: samba <samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org>> on behalf of Jeff Sadowski <jeff.sadowski at gmail.com<mailto:jeff.sadowski at gmail.com>> Sent: Monday, December 7, 2015 2:56 PM To: samba Subject: [Samba] Adding an AD group to /etc/sudoers? I can't seem to get this working and here is what I have done so far. I am using samba 4.1.6 my /etc/samba/smb.conf looks like so security = ads realm = DOMAIN.LONG workgroup = DOMAIN idmap config * : backend = tdb idmap config * : range = 2000-7999 idmap config DOMAIN:backend = ad idmap config DOMAIN:range = 8000-9999999 idmap config DOMAIN:schema_mode = rfc2307 winbind nss info = rfc2307 winbind use default domain = yes winbind nested groups=yes # so that the users show up in getent winbind enum users = Yes # doesn't seem to do the same for groups :-/ winbind enum groups = Yes restrict anonymous = 2 In AD my group it has a gid 8001 #getent group it it:x:8001:myusername,others in /etc/sudoers is the line %it ALL=(ALL:ALL) ALL when I ssh to said machine like so ssh myusername at problemhost then run a command like so> sudo echo[sudo] password for myusername: myusername is not in the sudoers file. This incident will be reported. I tried adding another line to /etc/sudoers as follows %DOMAIN\\it ALL=(ALL:ALL) ALL and %DOMAIN\it ALL=(ALL:ALL) ALL but neither of them work either. I seem to be able to get into the nfs shares I have group permissions to but I can not get sudo to work with my AD user group. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
# cat /proc/sys/kernel/ngroups_max 65536 # sysctl kernel.ngroups_max kernel.ngroups_max = 65536 Is there a way to change/look at AUTH_SYS? Seems I have 28 groups now as my user I tried created a test user with much less groups but it turns out it is on all those other groups. As such I tried winbind nested groups=no but this doesn't seem to change anything. On Tue, Dec 8, 2015 at 5:05 PM, Mattias Zhabinskiy < mattiasz at thinklogical.com> wrote:> Jeff, > > > To find out maximum number of groups allowed per user run: > > cat /proc/sys/kernel/ngroups_max > or > sysctl kernel.ngroups_max > but AFAIK AUTH_SYS has a limit of 16, so I would try to either create a > test account, add it to the "it" group and test it with sudo, or trim your > account membership to 16 or less groups. > > Regards, > > Matt > > ------------------------------ > *From:* Jeff Sadowski <jeff.sadowski at gmail.com> > *Sent:* Tuesday, December 8, 2015 4:59 PM > *To:* Mattias Zhabinskiy; samba > *Subject:* Re: [Samba] Adding an AD group to /etc/sudoers? > > # id username|sed "s/,/\n/g"|wc -l > 155 > > # id|sed "s/,/\n/g"|wc -l > 28 > > > On Tue, Dec 8, 2015 at 2:56 PM, Jeff Sadowski <jeff.sadowski at gmail.com> > wrote: > >> wbinfo -r username >> shows the gid of it >> and a bunch of -1's id guess for groups without gid's >> my user belongs to 155 groups is there a problem with that many groups? >> >> On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski <jeff.sadowski at gmail.com> >> wrote: >> >>> "id" alone does not show my user in the it group >>> "id username" does >>> why would id alone give different results? >>> >>> which is odd because >>> as my username I can get into a folder that has 0760 permissions with >>> user as root and it as the group >>> >>> as for >>> %it ALL=(ALL) ALL >>> instead of: >>> %it ALL=(ALL:ALL) ALL >>> >>> seems to work the same >>> >>> >>> >>> On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy < >>> mattiasz at thinklogical.com> wrote: >>> >>>> Jeff, >>>> >>>> After the ssh did you run "id" command to verify that your account >>>> belongs to the "it" group on the remote system? >>>> >>>> Did you try: >>>> %it ALL=(ALL) ALL >>>> instead of: >>>> %it ALL=(ALL:ALL) ALL >>>> >>>> Regards, >>>> Matt >>>> >>>> ________________________________________ >>>> From: samba <samba-bounces at lists.samba.org> on behalf of Jeff Sadowski >>>> <jeff.sadowski at gmail.com> >>>> Sent: Monday, December 7, 2015 2:56 PM >>>> To: samba >>>> Subject: [Samba] Adding an AD group to /etc/sudoers? >>>> >>>> I can't seem to get this working and here is what I have done so far. >>>> I am using samba 4.1.6 >>>> >>>> my /etc/samba/smb.conf looks like so >>>> >>>> security = ads >>>> realm = DOMAIN.LONG >>>> workgroup = DOMAIN >>>> idmap config * : backend = tdb >>>> idmap config * : range = 2000-7999 >>>> idmap config DOMAIN:backend = ad >>>> idmap config DOMAIN:range = 8000-9999999 >>>> idmap config DOMAIN:schema_mode = rfc2307 >>>> winbind nss info = rfc2307 >>>> winbind use default domain = yes >>>> winbind nested groups=yes >>>> # so that the users show up in getent >>>> winbind enum users = Yes >>>> # doesn't seem to do the same for groups :-/ >>>> winbind enum groups = Yes >>>> restrict anonymous = 2 >>>> >>>> In AD my group it has a gid 8001 >>>> >>>> #getent group it >>>> it:x:8001:myusername,others >>>> >>>> >>>> in /etc/sudoers is the line >>>> %it ALL=(ALL:ALL) ALL >>>> >>>> when I ssh to said machine like so >>>> >>>> ssh myusername at problemhost >>>> >>>> then run a command like so >>>> >>>> > sudo echo >>>> [sudo] password for myusername: >>>> myusername is not in the sudoers file. This incident will be reported. >>>> >>>> I tried adding another line to /etc/sudoers as follows >>>> %DOMAIN\\it ALL=(ALL:ALL) ALL >>>> >>>> and >>>> >>>> %DOMAIN\it ALL=(ALL:ALL) ALL >>>> >>>> but neither of them work either. >>>> >>>> I seem to be able to get into the nfs shares I have group permissions to >>>> but I can not get sudo to work with my AD user group. >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >>> >> >