samba - Dec 2015 - Adding an AD group to /etc/sudoers?

# cat /proc/sys/kernel/ngroups_max
65536
# sysctl kernel.ngroups_max
kernel.ngroups_max = 65536

Is there a way to change/look at AUTH_SYS?
Seems I have 28 groups now as my user
I tried created a test user with much less groups
but it turns out it is on all those other groups.
As such I tried

winbind nested groups=no

but this doesn't seem to change anything.



On Tue, Dec 8, 2015 at 5:05 PM, Mattias Zhabinskiy <
mattiasz at thinklogical.com> wrote:
> Jeff,
>
>
> To find out maximum number of groups allowed per user run:
>
> cat /proc/sys/kernel/ngroups_max
> or
> sysctl kernel.ngroups_max
> but AFAIK AUTH_SYS has a limit of 16, so I would try to either create a
> test account, add it to the "it" group and test it with sudo, or
trim your
> account membership to 16 or less groups.
>
> Regards,
>
> Matt
>
> ------------------------------
> *From:* Jeff Sadowski <jeff.sadowski at gmail.com>
> *Sent:* Tuesday, December 8, 2015 4:59 PM
> *To:* Mattias Zhabinskiy; samba
> *Subject:* Re: [Samba] Adding an AD group to /etc/sudoers?
>
> # id username|sed "s/,/\n/g"|wc -l
> 155
>
> # id|sed "s/,/\n/g"|wc -l
> 28
>
>
> On Tue, Dec 8, 2015 at 2:56 PM, Jeff Sadowski <jeff.sadowski at
gmail.com>
> wrote:
>
>> wbinfo -r username
>> shows the gid of it
>> and a bunch of -1's id guess for groups without gid's
>> my user belongs to 155 groups is there a problem with that many groups?
>>
>> On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski <jeff.sadowski at
gmail.com>
>> wrote:
>>
>>> "id" alone does not show my user in the it group
>>> "id username" does
>>> why would id alone give different results?
>>>
>>> which is odd because
>>> as my username I can get into a folder that has 0760 permissions
with
>>> user as root and it as the group
>>>
>>> as for
>>> %it ALL=(ALL) ALL
>>> instead of:
>>> %it ALL=(ALL:ALL) ALL
>>>
>>> seems to work the same
>>>
>>>
>>>
>>> On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy <
>>> mattiasz at thinklogical.com> wrote:
>>>
>>>> Jeff,
>>>>
>>>> After the ssh did you run "id" command to verify that
your account
>>>> belongs to the "it" group on the remote system?
>>>>
>>>> Did you try:
>>>> %it ALL=(ALL) ALL
>>>> instead of:
>>>> %it ALL=(ALL:ALL) ALL
>>>>
>>>> Regards,
>>>> Matt
>>>>
>>>> ________________________________________
>>>> From: samba <samba-bounces at lists.samba.org> on behalf
of Jeff Sadowski
>>>> <jeff.sadowski at gmail.com>
>>>> Sent: Monday, December 7, 2015 2:56 PM
>>>> To: samba
>>>> Subject: [Samba] Adding an AD group to /etc/sudoers?
>>>>
>>>> I can't seem to get this working and here is what I have
done so far.
>>>> I am using samba 4.1.6
>>>>
>>>> my /etc/samba/smb.conf looks like so
>>>>
>>>>    security = ads
>>>>    realm = DOMAIN.LONG
>>>>    workgroup = DOMAIN
>>>>    idmap config * : backend = tdb
>>>>    idmap config * : range = 2000-7999
>>>>    idmap config DOMAIN:backend = ad
>>>>    idmap config DOMAIN:range = 8000-9999999
>>>>    idmap config DOMAIN:schema_mode = rfc2307
>>>>    winbind nss info = rfc2307
>>>>    winbind use default domain = yes
>>>>    winbind nested groups=yes
>>>>    # so that the users show up in getent
>>>>    winbind enum users = Yes
>>>>    # doesn't seem to do the same for groups :-/
>>>>    winbind enum groups = Yes
>>>>    restrict anonymous = 2
>>>>
>>>> In AD my group it has a gid 8001
>>>>
>>>> #getent group it
>>>> it:x:8001:myusername,others
>>>>
>>>>
>>>> in /etc/sudoers is the line
>>>> %it ALL=(ALL:ALL) ALL
>>>>
>>>> when I ssh to said machine like so
>>>>
>>>> ssh myusername at problemhost
>>>>
>>>> then run a command like so
>>>>
>>>> > sudo echo
>>>> [sudo] password for myusername:
>>>> myusername is not in the sudoers file.  This incident will be
reported.
>>>>
>>>> I tried adding another line to /etc/sudoers as follows
>>>> %DOMAIN\\it ALL=(ALL:ALL) ALL
>>>>
>>>> and
>>>>
>>>> %DOMAIN\it ALL=(ALL:ALL) ALL
>>>>
>>>> but neither of them work either.
>>>>
>>>> I seem to be able to get into the nfs shares I have group
permissions to
>>>> but I can not get sudo to work with my AD user group.
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>
>

Jeff,


After ssh try to run:


newgrp it


and then sudo. See if it will work, then you'll have to figure out
what's going on with the users groups membership.


Regards,

Matt


________________________________
From: Jeff Sadowski <jeff.sadowski at gmail.com>
Sent: Wednesday, December 9, 2015 10:08 AM
To: Mattias Zhabinskiy; samba
Subject: Re: [Samba] Adding an AD group to /etc/sudoers?

# cat /proc/sys/kernel/ngroups_max
65536
# sysctl kernel.ngroups_max
kernel.ngroups_max = 65536

Is there a way to change/look at AUTH_SYS?
Seems I have 28 groups now as my user
I tried created a test user with much less groups
but it turns out it is on all those other groups.
As such I tried

winbind nested groups=no

but this doesn't seem to change anything.



On Tue, Dec 8, 2015 at 5:05 PM, Mattias Zhabinskiy <mattiasz at
thinklogical.com<mailto:mattiasz at thinklogical.com>> wrote:

Jeff,


To find out maximum number of groups allowed per user run:

cat /proc/sys/kernel/ngroups_max
or
sysctl kernel.ngroups_max
but AFAIK AUTH_SYS has a limit of 16, so I would try to either create a test
account, add it to the "it" group and test it with sudo, or trim your
account membership to 16 or less groups.

Regards,

Matt

________________________________
From: Jeff Sadowski <jeff.sadowski at gmail.com<mailto:jeff.sadowski at
gmail.com>>
Sent: Tuesday, December 8, 2015 4:59 PM
To: Mattias Zhabinskiy; samba
Subject: Re: [Samba] Adding an AD group to /etc/sudoers?

# id username|sed "s/,/\n/g"|wc -l
155

# id|sed "s/,/\n/g"|wc -l
28


On Tue, Dec 8, 2015 at 2:56 PM, Jeff Sadowski <jeff.sadowski at
gmail.com<mailto:jeff.sadowski at gmail.com>> wrote:
wbinfo -r username
shows the gid of it
and a bunch of -1's id guess for groups without gid's
my user belongs to 155 groups is there a problem with that many groups?

On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski <jeff.sadowski at
gmail.com<mailto:jeff.sadowski at gmail.com>> wrote:
"id" alone does not show my user in the it group
"id username" does
why would id alone give different results?

which is odd because
as my username I can get into a folder that has 0760 permissions with user as
root and it as the group

as for
%it ALL=(ALL) ALL
instead of:
%it ALL=(ALL:ALL) ALL

seems to work the same



On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy <mattiasz at
thinklogical.com<mailto:mattiasz at thinklogical.com>> wrote:
Jeff,

After the ssh did you run "id" command to verify that your account
belongs to the "it" group on the remote system?

Did you try:
%it ALL=(ALL) ALL
instead of:
%it ALL=(ALL:ALL) ALL

Regards,
Matt

________________________________________
From: samba <samba-bounces at lists.samba.org<mailto:samba-bounces at
lists.samba.org>> on behalf of Jeff Sadowski <jeff.sadowski at
gmail.com<mailto:jeff.sadowski at gmail.com>>
Sent: Monday, December 7, 2015 2:56 PM
To: samba
Subject: [Samba] Adding an AD group to /etc/sudoers?

I can't seem to get this working and here is what I have done so far.
I am using samba 4.1.6

my /etc/samba/smb.conf looks like so

   security = ads
   realm = DOMAIN.LONG
   workgroup = DOMAIN
   idmap config * : backend = tdb
   idmap config * : range = 2000-7999
   idmap config DOMAIN:backend = ad
   idmap config DOMAIN:range = 8000-9999999
   idmap config DOMAIN:schema_mode = rfc2307
   winbind nss info = rfc2307
   winbind use default domain = yes
   winbind nested groups=yes
   # so that the users show up in getent
   winbind enum users = Yes
   # doesn't seem to do the same for groups :-/
   winbind enum groups = Yes
   restrict anonymous = 2

In AD my group it has a gid 8001

#getent group it
it:x:8001:myusername,others


in /etc/sudoers is the line
%it ALL=(ALL:ALL) ALL

when I ssh to said machine like so

ssh myusername at problemhost

then run a command like so
> sudo echo
[sudo] password for myusername:
myusername is not in the sudoers file.  This incident will be reported.

I tried adding another line to /etc/sudoers as follows
%DOMAIN\\it ALL=(ALL:ALL) ALL

and

%DOMAIN\it ALL=(ALL:ALL) ALL

but neither of them work either.

I seem to be able to get into the nfs shares I have group permissions to
but I can not get sudo to work with my AD user group.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

ok after fighting to get my groups sorted out for my test user I created an
"sudoer" group and added "jefftest" to "sudoer"
> id jefftest
uid=11507(jefftest) gid=8513(domain users) groups=8513(domain
users),31020(sudoer)

and added "sudoer" to /etc/sudoers like so

%sudoer ALL=(ALL) ALL

now when I login as jefftest I can run commands using sudo

back to my other user who I also added to sudoer
I still can not run commands using sudo
but as you suggested I do the "newgrp it" or "newgrp sudoer"
and then I can run commands using sudo

On Wed, Dec 9, 2015 at 8:20 AM, Mattias Zhabinskiy <
mattiasz at thinklogical.com> wrote:
> Jeff,
>
>
> After ssh try to run:
>
>
> newgrp it
>
>
> and then sudo. See if it will work, then you'll have to figure out
what's
> going on with the users groups membership.
>
>
> Regards,
>
> Matt
>
>
> ------------------------------
> *From:* Jeff Sadowski <jeff.sadowski at gmail.com>
> *Sent:* Wednesday, December 9, 2015 10:08 AM
>
> *To:* Mattias Zhabinskiy; samba
> *Subject:* Re: [Samba] Adding an AD group to /etc/sudoers?
>
> # cat /proc/sys/kernel/ngroups_max
> 65536
> # sysctl kernel.ngroups_max
> kernel.ngroups_max = 65536
>
> Is there a way to change/look at AUTH_SYS?
> Seems I have 28 groups now as my user
> I tried created a test user with much less groups
> but it turns out it is on all those other groups.
> As such I tried
>
> winbind nested groups=no
>
> but this doesn't seem to change anything.
>
>
>
> On Tue, Dec 8, 2015 at 5:05 PM, Mattias Zhabinskiy <
> mattiasz at thinklogical.com> wrote:
>
>> Jeff,
>>
>>
>> To find out maximum number of groups allowed per user run:
>>
>> cat /proc/sys/kernel/ngroups_max
>> or
>> sysctl kernel.ngroups_max
>> but AFAIK AUTH_SYS has a limit of 16, so I would try to either create a
>> test account, add it to the "it" group and test it with sudo,
or trim your
>> account membership to 16 or less groups.
>>
>> Regards,
>>
>> Matt
>>
>> ------------------------------
>> *From:* Jeff Sadowski <jeff.sadowski at gmail.com>
>> *Sent:* Tuesday, December 8, 2015 4:59 PM
>> *To:* Mattias Zhabinskiy; samba
>> *Subject:* Re: [Samba] Adding an AD group to /etc/sudoers?
>>
>> # id username|sed "s/,/\n/g"|wc -l
>> 155
>>
>> # id|sed "s/,/\n/g"|wc -l
>> 28
>>
>>
>> On Tue, Dec 8, 2015 at 2:56 PM, Jeff Sadowski <jeff.sadowski at
gmail.com>
>> wrote:
>>
>>> wbinfo -r username
>>> shows the gid of it
>>> and a bunch of -1's id guess for groups without gid's
>>> my user belongs to 155 groups is there a problem with that many
groups?
>>>
>>> On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski <jeff.sadowski at
gmail.com>
>>> wrote:
>>>
>>>> "id" alone does not show my user in the it group
>>>> "id username" does
>>>> why would id alone give different results?
>>>>
>>>> which is odd because
>>>> as my username I can get into a folder that has 0760
permissions with
>>>> user as root and it as the group
>>>>
>>>> as for
>>>> %it ALL=(ALL) ALL
>>>> instead of:
>>>> %it ALL=(ALL:ALL) ALL
>>>>
>>>> seems to work the same
>>>>
>>>>
>>>>
>>>> On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy <
>>>> mattiasz at thinklogical.com> wrote:
>>>>
>>>>> Jeff,
>>>>>
>>>>> After the ssh did you run "id" command to verify
that your account
>>>>> belongs to the "it" group on the remote system?
>>>>>
>>>>> Did you try:
>>>>> %it ALL=(ALL) ALL
>>>>> instead of:
>>>>> %it ALL=(ALL:ALL) ALL
>>>>>
>>>>> Regards,
>>>>> Matt
>>>>>
>>>>> ________________________________________
>>>>> From: samba <samba-bounces at lists.samba.org> on
behalf of Jeff
>>>>> Sadowski <jeff.sadowski at gmail.com>
>>>>> Sent: Monday, December 7, 2015 2:56 PM
>>>>> To: samba
>>>>> Subject: [Samba] Adding an AD group to /etc/sudoers?
>>>>>
>>>>> I can't seem to get this working and here is what I
have done so far.
>>>>> I am using samba 4.1.6
>>>>>
>>>>> my /etc/samba/smb.conf looks like so
>>>>>
>>>>>    security = ads
>>>>>    realm = DOMAIN.LONG
>>>>>    workgroup = DOMAIN
>>>>>    idmap config * : backend = tdb
>>>>>    idmap config * : range = 2000-7999
>>>>>    idmap config DOMAIN:backend = ad
>>>>>    idmap config DOMAIN:range = 8000-9999999
>>>>>    idmap config DOMAIN:schema_mode = rfc2307
>>>>>    winbind nss info = rfc2307
>>>>>    winbind use default domain = yes
>>>>>    winbind nested groups=yes
>>>>>    # so that the users show up in getent
>>>>>    winbind enum users = Yes
>>>>>    # doesn't seem to do the same for groups :-/
>>>>>    winbind enum groups = Yes
>>>>>    restrict anonymous = 2
>>>>>
>>>>> In AD my group it has a gid 8001
>>>>>
>>>>> #getent group it
>>>>> it:x:8001:myusername,others
>>>>>
>>>>>
>>>>> in /etc/sudoers is the line
>>>>> %it ALL=(ALL:ALL) ALL
>>>>>
>>>>> when I ssh to said machine like so
>>>>>
>>>>> ssh myusername at problemhost
>>>>>
>>>>> then run a command like so
>>>>>
>>>>> > sudo echo
>>>>> [sudo] password for myusername:
>>>>> myusername is not in the sudoers file.  This incident will
be reported.
>>>>>
>>>>> I tried adding another line to /etc/sudoers as follows
>>>>> %DOMAIN\\it ALL=(ALL:ALL) ALL
>>>>>
>>>>> and
>>>>>
>>>>> %DOMAIN\it ALL=(ALL:ALL) ALL
>>>>>
>>>>> but neither of them work either.
>>>>>
>>>>> I seem to be able to get into the nfs shares I have group
permissions
>>>>> to
>>>>> but I can not get sudo to work with my AD user group.
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and
read the
>>>>> instructions: 
https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>>
>>>
>>
>