[sudo-users] sudoers and winbind

Paul Cantle paul at cantle.me
Mon Jul 12 11:41:20 EDT 2010


This is my first post to this group so hope this helps.

With regards to the AD integration:

1) I don't use winbind to integrate my Linux systems into AD (I use krb and LDAP) so can't really comment on that part of it :-( Sorry.

2) By default, Active Directory (not sure what version you're using (assuming 2003R2 or 2008)) does not allow anonymous queries. You can either change that or add this into /etc/ldap.conf

host x.x.x.x
url ldap://your_dc.fqdn (or ldaps:// if that's applicable).
base dc=your,dc=domain,dc=com
binddn user at your.domain.com
bindpw PlainTxtPw

I'd make that user a "noddy" account with minimum AD privs. (sorry if you're already doing this and I'm making out you don't know...it's not my intention).

3) With regards to the specific sudoers section - in /etc/ldap.conf

sudoers_base ou=SUDOers,dc=your,dc=domain,dc=com

4) You'll need to convert your current (or a new) /etc/sudoers into ldif format using the scripts provided in the sudo distro (they're not perfect at this stage), then import it into your AD by running ldifde.exe on (one of) your Domain Controllers.

5) The NOPASSWD flag (in/etc/sudoers) is replaced with a "!authenticate" flag in one of the sudoOption: attributes for the relevant sudoRole:. On the flip-side "authenticate" is the same as the default of PASSWD which is also placed in one of the sudoOption: attributes. 

You will need to add the AD users/groups (using "username" or "%groupname") into the sudoUser: attribute in the relevant group to grant the permissions. To add additional users, groups, perms, etc into sudoers once it's in the AD. You can use ADUC as per normal AD management and then right click the groups in the SUDOers OU and then select the attributes you want to manage. Once you save, changes take effect straight away.

Regardless of anonymous connections to the AD. Anyone on the system can read /etc/ldap.conf (well, if they want to use the features that it controls they'll need to), also, as all users are logged in via the AD anyway, by default, anyone could do an "ldapsearch", authenticate as themselves and then view the SUDOers attributes (not sure if there is a way to prevent this). So on that note, I don't know how you'd get the same perms as UNIX 400 root:root.

Also, it's just worth noting that if your current /etc/sudoers uses command_aliases then they'll not import into the AD and actually work. You'll need to list the absolute commands in the sudoCommand: attributes (with the exception of the "ALL" alias, which works fine).

I hope that helps a bit


From: sudo-users-bounces at courtesan.com [sudo-users-bounces at courtesan.com] On Behalf Of Boomer Brainfood [boomer at brainfood.homelinux.org]
Sent: 12 July 2010 15:34
To: sudo-users at sudo.ws
Subject: [sudo-users] sudoers and winbind

Hello everybody,

my company want's to integrate all Unix servers into active directory.
For "normal" account management I decided more or less to go down the
winbind route.
To have all information in one place, we also want to put sudoers in the AD.
Now the question is, how can I access the information ?
I don't think, winbind can provide sudoers information.
So, I guess I have to maintin a separate ldap.conf for sudo.
But, how does sudo authenticate to the LDAP server (the user is
authenticated using pam and thus through winbind (unless NOPASSWD is
- somebody told me that AD doesn't support anonymous queries
- if anonymous queries are possible, then sudoers becomes world-readable,
which is different from the local filesystem


Minds are like parachutes
They only function when open

sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:

More information about the sudo-users mailing list