[sudo-users] Winbind group not visible to sudo?
link at pobox.com
Sun Jan 9 08:16:25 EST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Ok, I'm now officially losing my mind here.
My sudo does not seem to recognize %groups coming from winbind?
I have a RHEL 3.0 box set up with Samba's winbind and Kerberos etc. and some
PAM trickery so that a specific group (“UNIXAdmins”) of users in our Active
Directory can log in.
Logging in (via SSH) and doing `id` shows that the OS as such recognizes the
user, its primary group (“Domain Users”), and the other groups it's a member
of; including the group I'm interested in (“UNIXAdmins”). `id` shows both
user/group names and uid/gid, so this lookup seems to be working.
Further, `getent passwd <user>` and `getent group <group>` on the relevant
user and group returns the expected information (sufficiently bog standard
looking that I'm omitting it for brevity).
Even adding the specific user to sudoers works as expected.
However, setting sudoers to permit the group %UNIXAdmins fails.
On the theory that sudo might be reading /etc/(passwd|group) directly instead
of using getent() I tried strace'ing it. Tracing the commend directly failed
due to some setuid oddness (which I guess is expected behaviour?), and
stracing the pid from the point where sudo waits for the password revealed
very little except that it opens two pipes whose names suggest they belong to
winbind and Samba.
It showed me nothing suggesting why sudo might be failing to recognize the
group (strace output available if anyone is interested).
So... Any suggestions? Am I missing something obvious?
Anything else I could try to figure out what's going on here?
BTW, I started out with the group called “UNIX Admins” and ran up against
sudo's lack of support for group names containing spaces (which is shared by
at least one PAM module, so I guess singeling out sudo would be unfair). I
since changed the group name to “UNIXAdmins”, and the change /seems/ to have
been picked up everywhere, but I guess it might be lingering in its old form
somewhere tripping me up.
Also, the primary group of the user in question is “Domain Users” — i.e.
containing a space character — so I guess this might be a problem?
Now Playing "Regulate" by "Warren G"
from the album "HIP HOP The Collection (Disc 1)".
As a cat owner, I know this for a fact... Nothing says "I love you" like a
decapitated gopher on your front porch.
-----BEGIN PGP SIGNATURE-----
Version: PGP SDK 3.0.3
-----END PGP SIGNATURE-----
More information about the sudo-users