You either have to list the full group name in sudoers IE: DOMIN\groupname or use the option "winbind use default domain = yes" for one thing. I'm not sure if you need enumeration but I like seeing domain users and groups with getent so I have the options winbind enum users = yes winbind enum groups = yes On Mon, May 2, 2016 at 6:11 AM, Sketch <smblist at rednsx.org> wrote:> On Mon, 2 May 2016, Andrew Bartlett wrote: > > On Mon, 2016-05-02 at 07:44 +1000, John Gardeniers wrote: >> >>> Hi Andrew, >>> >>> Please elaborate, as we're about to put it on Samba 4.2. Thanks. >>> >> >> Please don't use 4.2 with the sudo schema. At a client, we have seen >> that cause database corruption when combined with multiple DCs, >> specifically duplicate values in the database that sssd really didn't >> like. It will also require you to run dbcheck from Samba 4.3 or later >> before you can replicate with a Samba 4.3 DC. >> > > Is this specific to 4.2? I am currently on 4.1 but planning to upgrade to > 4.2 in the near future since 4.1 is no longer supported by anyone. I had > previously installed the sudo schema on 4.1, but I was never able to get it > to work. Maybe I should remove it before upgrading? > > BTW, I have seen occasional issues with replication of deleted entries > that required me to manually go and delete them on the non-master DCs. Is > this possibly related? > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
I'm using sssd, so winbind options are unlikely to help me...I also believe I tried with and without domain, in multiple forms. We have since started using a config management system, and use that to manage our sudoers files now, so there's not a big need to do it in AD anymore. On Mon, 2 May 2016, Jeff Sadowski wrote:> You either have to list the full group name in sudoers IE: DOMIN\groupname > or use the option "winbind use default domain = yes" > for one thing. > > I'm not sure if you need enumeration but I like seeing domain users and > groups with getent so I have the options > > winbind enum users = yes > winbind enum groups = yes > > On Mon, May 2, 2016 at 6:11 AM, Sketch <smblist at rednsx.org> wrote: >> >> Is this specific to 4.2? I am currently on 4.1 but planning to upgrade to >> 4.2 in the near future since 4.1 is no longer supported by anyone. I had >> previously installed the sudo schema on 4.1, but I was never able to get it >> to work. Maybe I should remove it before upgrading?
On 02/05/16 14:55, Jeff Sadowski wrote:> You either have to list the full group name in sudoers IE: DOMIN\groupname > or use the option "winbind use default domain = yes" > for one thing.The whole idea about using AD for sudo, is not to use sudoers.> > I'm not sure if you need enumeration but I like seeing domain users and > groups with getent so I have the optionsNo, you don't need enumeration and I take it you don't have a really large amount of users. Rowland> winbind enum users = yes > winbind enum groups = yes > >
On Mon, 2 May 2016, Rowland penny wrote:> On 02/05/16 14:55, Jeff Sadowski wrote: >> You either have to list the full group name in sudoers IE: DOMIN\groupname >> or use the option "winbind use default domain = yes" >> for one thing. > > The whole idea about using AD for sudo, is not to use sudoers.I assumed he was talking about the sudoers entries in LDAP, but you might be right.