samba - Feb 2025 - Reported group membership is different between domain member and Samba ADC

I was experimenting with centralized administration of Linux 
administrative privileges, so I created the group. (I have to assume 
that there's nothing fundamentally wrong with creating a domain group 
for some special purpose.) I then added to /etc/sudoers:

 ??? %SAMDOM\\wheel ALL=(ALL:ALL) ALL

and to /etc/pam.d/su

 ??? auth??????? required??? pam_wheel.so use_uid group=SAMDOM\wheel

With those changes the domain members seem to honor the domain group to 
allow sudo and su, but the ADC does not, presumably because the 
effective group membership is different. Now, if you were to argue that 
I don't need a new group, that I should be using "Administrators"
or
"Domain Admins" instead, then I'd accept that criticism. I just
thought
that "wheel" was a more *nix -flavored name. And certainly the
effective
domain user domain group membership shouldn't be different when viewed 
on different domain member machines, should it?

- John

On 2/14/25 10:36, Rowland Penny via samba wrote:
> On Fri, 14 Feb 2025 10:03:33 -0500
> "John R. Graham via samba" <samba at lists.samba.org>
wrote:
>
>> On my Linux domain members, group membership for my domain login is
>> reported as:
>>
>>   ??? terra #? id SAMDOM\\jgraham
>>   ??? uid=11105(SAMDOM\jgraham) gid=10513(SAMDOM\domain users)
>> groups=10513(SAMDOM\domain
>> users),11105(SAMDOM\jgraham),11120(SAMDOM\wheel),3001(BUILTIN\users)
>>
>> (I filtered local groups to make the output less noisy.) But on the
>> ADC the same command give different results:
>>
>>   ??? dc1 # id SAMDOM\\jgraham
>>   ??? uid=11105(SAMDOM\jgraham) gid=10513(SAMDOM\domain users)
>> groups=10513(SAMDOM\domain users),3000020,3000006(BUILTIN\users)
>>
>> The difference that's causing me an issue right now is the missing
>> membership in the domain "wheel" group. How would I go about
>> troubleshooting this?
>>
>> - John
> The real question here is:
>
> Why do you need a group called wheel ?
>
> There isn't one in AD by default, nor on Debian, but redhat uses it,
> but it is a local group and shouldn't be in AD.
>
> Rowland
>
>

On Fri, 14 Feb 2025 10:51:57 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> I was experimenting with centralized administration of Linux 
> administrative privileges, so I created the group. (I have to assume 
> that there's nothing fundamentally wrong with creating a domain group 
> for some special purpose.) I then added to /etc/sudoers:
> 
>  ??? %SAMDOM\\wheel ALL=(ALL:ALL) ALL
> 
> and to /etc/pam.d/su
> 
>  ??? auth??????? required??? pam_wheel.so use_uid group=SAMDOM\wheel
> 
> With those changes the domain members seem to honor the domain group
> to allow sudo and su, but the ADC does not, presumably because the 
> effective group membership is different. Now, if you were to argue
> that I don't need a new group, that I should be using
> "Administrators" or "Domain Admins" instead, then
I'd accept that
> criticism. I just thought that "wheel" was a more *nix -flavored
> name. And certainly the effective domain user domain group membership
> shouldn't be different when viewed on different domain member
> machines, should it?
> 
Well yes, you can do it that way, but there is an easier way.
There is a group in AD called 'Domain Admins'
Add any AD users that you want to be domain administrators to that
group, then, using visudo add this line to the sudo config:

%SAMDOM\\domain\ admins ALL=(ALL:ALL) ALL

Where 'SAMDOM' is your NetBIOS domain name.

Check that your users are members of Domain Admins, you can do this
with 'getent group domain\ admins'

Now when they log in your domain administrators will be able to use
sudo.

For extra brownie points, you could store the sudo rules in AD ;-)

Rowland