[sudo-users] Solaris 10, AD authentication and sudo (excessive) AD group lookups
Jeff Martin
Jeff.Martin at panasonic.aero
Thu Jun 14 10:53:18 MDT 2018
Todd,
That seems to have done the trick. Sudo sees all 166 AD groups. Appreciate the quick response.
_Jeff
-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at sudo.ws]
Sent: Thursday, June 14, 2018 6:07 AM
To: Jeff Martin <Jeff.Martin at panasonic.aero>
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] Solaris 10, AD authentication and sudo (excessive) AD group lookups
On Wed, 13 Jun 2018 17:18:24 -0000, Jeff Martin wrote:
> User belonging to many > 150 AD Groups, may not allow sudo to see the
> group s o lookup of %GROUP in sudoers fails with permission not
> allowed if group not in first 32 lookups.
>
> Solaris 10 SPARC
> Sudo 1.8.23
> Compiled on system default options
> Powerbroker Open AD authentication
>
> User belongs to 166 AD groups.
> Powerbroker sees 166 AD group memberships.
> Sudo sees 32 groups based on turning on sudo debug mode and checking
> the logs for # occurrences of "user is a member of ...."
Please try adding the following lines to your sudo.conf file:
Set group_source dynamic
Set max_groups 256
Sudo will query the nsswitch group provider for the user's groups, but I don't know whether Powerbroker will exposes all groups or just up to the system maximum.
- todd
More information about the sudo-users
mailing list