[sudo-users] sudoers and winbind

Boomer Brainfood boomer at brainfood.homelinux.org
Tue Jul 13 03:32:28 EDT 2010 

Hi,

thank you very much for your very interesting explanation. I will review
it as soon as I have a test AD controller.

Is using a proxy user the definitive solution ? I’d prefer anonymous
queries over a proxy user.

Sincerely
Bernhard


On Mon, July 12, 2010 17:44, Paul Cantle wrote:
> Apologies
>
> url should be uri
>
> rgds
>
> Paul
> ________________________________________
> From: sudo-users-bounces at courtesan.com [sudo-users-bounces at courtesan.com]
> On Behalf Of Paul Cantle [paul at cantle.me]
> Sent: 12 July 2010 16:41
> To: Boomer Brainfood; sudo-users at sudo.ws
> Subject: Re: [sudo-users] sudoers and winbind
>
> Hi,
>
> This is my first post to this group so hope this helps.
>
> With regards to the AD integration:
>
> 1) I don't use winbind to integrate my Linux systems into AD (I use krb
> and LDAP) so can't really comment on that part of it :-( Sorry.
>
> 2) By default, Active Directory (not sure what version you're using
> (assuming 2003R2 or 2008)) does not allow anonymous queries. You can
> either change that or add this into /etc/ldap.conf
>
> host x.x.x.x
> url ldap://your_dc.fqdn (or ldaps:// if that's applicable).
> base dc=your,dc=domain,dc=com
> binddn user at your.domain.com
> bindpw PlainTxtPw
>
> I'd make that user a "noddy" account with minimum AD privs. (sorry if
> you're already doing this and I'm making out you don't know...it's not my
> intention).
>
> 3) With regards to the specific sudoers section - in /etc/ldap.conf
>
> sudoers_base ou=SUDOers,dc=your,dc=domain,dc=com
>
> 4) You'll need to convert your current (or a new) /etc/sudoers into ldif
> format using the scripts provided in the sudo distro (they're not perfect
> at this stage), then import it into your AD by running ldifde.exe on (one
> of) your Domain Controllers.
>
> 5) The NOPASSWD flag (in/etc/sudoers) is replaced with a "!authenticate"
> flag in one of the sudoOption: attributes for the relevant sudoRole:. On
> the flip-side "authenticate" is the same as the default of PASSWD which is
> also placed in one of the sudoOption: attributes.
>
> You will need to add the AD users/groups (using "username" or
> "%groupname") into the sudoUser: attribute in the relevant group to grant
> the permissions. To add additional users, groups, perms, etc into sudoers
> once it's in the AD. You can use ADUC as per normal AD management and then
> right click the groups in the SUDOers OU and then select the attributes
> you want to manage. Once you save, changes take effect straight away.
>
> Regardless of anonymous connections to the AD. Anyone on the system can
> read /etc/ldap.conf (well, if they want to use the features that it
> controls they'll need to), also, as all users are logged in via the AD
> anyway, by default, anyone could do an "ldapsearch", authenticate as
> themselves and then view the SUDOers attributes (not sure if there is a
> way to prevent this). So on that note, I don't know how you'd get the same
> perms as UNIX 400 root:root.
>
> Also, it's just worth noting that if your current /etc/sudoers uses
> command_aliases then they'll not import into the AD and actually work.
> You'll need to list the absolute commands in the sudoCommand: attributes
> (with the exception of the "ALL" alias, which works fine).
>
> I hope that helps a bit
>
> Paul
>
> ________________________________________
> From: sudo-users-bounces at courtesan.com [sudo-users-bounces at courtesan.com]
> On Behalf Of Boomer Brainfood [boomer at brainfood.homelinux.org]
> Sent: 12 July 2010 15:34
> To: sudo-users at sudo.ws
> Subject: [sudo-users] sudoers and winbind
>
> Hello everybody,
>
> my company want's to integrate all Unix servers into active directory.
> For "normal" account management I decided more or less to go down the
> winbind route.
> To have all information in one place, we also want to put sudoers in the
> AD.
> Now the question is, how can I access the information ?
> I don't think, winbind can provide sudoers information.
> So, I guess I have to maintin a separate ldap.conf for sudo.
> But, how does sudo authenticate to the LDAP server (the user is
> authenticated using pam and thus through winbind (unless NOPASSWD is
> defined))
> - somebody told me that AD doesn't support anonymous queries
> - if anonymous queries are possible, then sudoers becomes world-readable,
> which is different from the local filesystem
>
> Sincerely
> Bernhard
>
>
>
> --
> Minds are like parachutes
> They only function when open
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>


-- 
When did I realize I was God?
Well, I was praying and I suddenly realized I was talking to myself.

More information about the sudo-users mailing list