John R. Graham
2025-Feb-14 15:51 UTC
[Samba] Reported group membership is different between domain member and Samba ADC
I was experimenting with centralized administration of Linux administrative privileges, so I created the group. (I have to assume that there's nothing fundamentally wrong with creating a domain group for some special purpose.) I then added to /etc/sudoers: ??? %SAMDOM\\wheel ALL=(ALL:ALL) ALL and to /etc/pam.d/su ??? auth??????? required??? pam_wheel.so use_uid group=SAMDOM\wheel With those changes the domain members seem to honor the domain group to allow sudo and su, but the ADC does not, presumably because the effective group membership is different. Now, if you were to argue that I don't need a new group, that I should be using "Administrators" or "Domain Admins" instead, then I'd accept that criticism. I just thought that "wheel" was a more *nix -flavored name. And certainly the effective domain user domain group membership shouldn't be different when viewed on different domain member machines, should it? - John On 2/14/25 10:36, Rowland Penny via samba wrote:> On Fri, 14 Feb 2025 10:03:33 -0500 > "John R. Graham via samba" <samba at lists.samba.org> wrote: > >> On my Linux domain members, group membership for my domain login is >> reported as: >> >> ??? terra #? id SAMDOM\\jgraham >> ??? uid=11105(SAMDOM\jgraham) gid=10513(SAMDOM\domain users) >> groups=10513(SAMDOM\domain >> users),11105(SAMDOM\jgraham),11120(SAMDOM\wheel),3001(BUILTIN\users) >> >> (I filtered local groups to make the output less noisy.) But on the >> ADC the same command give different results: >> >> ??? dc1 # id SAMDOM\\jgraham >> ??? uid=11105(SAMDOM\jgraham) gid=10513(SAMDOM\domain users) >> groups=10513(SAMDOM\domain users),3000020,3000006(BUILTIN\users) >> >> The difference that's causing me an issue right now is the missing >> membership in the domain "wheel" group. How would I go about >> troubleshooting this? >> >> - John > The real question here is: > > Why do you need a group called wheel ? > > There isn't one in AD by default, nor on Debian, but redhat uses it, > but it is a local group and shouldn't be in AD. > > Rowland > >
Rowland Penny
2025-Feb-14 16:22 UTC
[Samba] Reported group membership is different between domain member and Samba ADC
On Fri, 14 Feb 2025 10:51:57 -0500 "John R. Graham via samba" <samba at lists.samba.org> wrote:> I was experimenting with centralized administration of Linux > administrative privileges, so I created the group. (I have to assume > that there's nothing fundamentally wrong with creating a domain group > for some special purpose.) I then added to /etc/sudoers: > > ??? %SAMDOM\\wheel ALL=(ALL:ALL) ALL > > and to /etc/pam.d/su > > ??? auth??????? required??? pam_wheel.so use_uid group=SAMDOM\wheel > > With those changes the domain members seem to honor the domain group > to allow sudo and su, but the ADC does not, presumably because the > effective group membership is different. Now, if you were to argue > that I don't need a new group, that I should be using > "Administrators" or "Domain Admins" instead, then I'd accept that > criticism. I just thought that "wheel" was a more *nix -flavored > name. And certainly the effective domain user domain group membership > shouldn't be different when viewed on different domain member > machines, should it? >Well yes, you can do it that way, but there is an easier way. There is a group in AD called 'Domain Admins' Add any AD users that you want to be domain administrators to that group, then, using visudo add this line to the sudo config: %SAMDOM\\domain\ admins ALL=(ALL:ALL) ALL Where 'SAMDOM' is your NetBIOS domain name. Check that your users are members of Domain Admins, you can do this with 'getent group domain\ admins' Now when they log in your domain administrators will be able to use sudo. For extra brownie points, you could store the sudo rules in AD ;-) Rowland
Reasonably Related Threads
- Reported group membership is different between domain member and Samba ADC
- Reported group membership is different between domain member and Samba ADC
- Reported group membership is different between domain member and Samba ADC
- Reported group membership is different between domain member and Samba ADC
- Reported group membership is different between domain member and Samba ADC