[sudo-users] Winbind group not visible to sudo?
Todd C. Miller
Todd.Miller at courtesan.com
Sun Jan 9 14:23:07 EST 2005
Sudo use getgrnam() to lookup groups and then does a string compare
to see if the user is a member. On some (most?) systems, getgrnam()
appears to only provide data for the first source specified in
nsswitch.conf that contained the group in question. This can cause
problems when the users are listed in a group db other than /etc/group
when /etc/group is the first source in /etc/nsswitch.conf. A
workaround is to change the order in /etc/nsswitch.conf.
The reason 'id' works is that it uses the supplemental group vector
directly (via getgroups(2)). Sudo 1.7 will also use the supplemental
group vector if it is present which helps work around this kind of
problem. The code to support this is already in the sudo cvs source
tree.
- todd
More information about the sudo-users
mailing list