[sudo-users] Sudo + Winbind nested groups.

Tom McLaughlin tmclaugh at sdf.lonestar.org
Fri Sep 9 00:27:35 EDT 2005


I'm trying to get sudo to work with my winbind nested groups on my
CentOS 4.1 box.  Our NT domain has a group called "Domain Server Admin"
which is a member of my machine's local "Unix Admins" group.  Unix
Admins is group mapped to "wheel".  I did this as a workaround for
sudoers not handling group names with spaces and because I just usually
associate the wheel group with *nix admins.

I followed the thread here which talks about switching the groups lookup
order in nsswitch.conf .
http://www.sudo.ws/pipermail/sudo-users/2005-January/002337.html

Sudo still doesn't accept my domain user as being part of the wheel
group though.  After some experimenting with getgrnam resolution via
this:

http://websvn.samba.org/cgi-bin/viewcvs.cgi/trunk/testsuite/nsswitch/getgrnam.c?rev=2&view=markup

I found that the problem is caused by the winbind groupmap from a local
SMB group to a local Unix group.  If I remove the groupmap there is no
problem and the nsswitch.conf ordering will fix or break the group
membership list as mentioned in the above thread.

I know this is planned to be fixed in 1.7 but I'm not sure of it's ETA
and the changes were too big for me to back patch with my lack of C
knowledge from HEAD to 1.6.7.  All I would like to know is if anyone
else out there has a patch for 1.6.x to handle winbind mapped groups and
is willing to share.  If not, I have a backup plan but I'm in the
beginnings of deploying a few boxes and would like to avoid having to go
back and correct my setup.  

Thanks,
Tom

-- 
BSD# Project - Mono on FreeBSD
http://www.mono-project.com/Mono:FreeBSD




More information about the sudo-users mailing list