[sudo-users] sudoers and winbind

Stier, Matthew Matthew.Stier at us.fujitsu.com
Tue Jul 13 07:59:32 EDT 2010


It's simple enough to setup OpenLDAP as a relay between anonymous and
proxyuser.

I originally setup the OpenLDAP as a meta-ldap server; returning the
results from searches of three directory servers (corporate and two
engineering servers) to Unix e-mail clients, and various network
devices.  Now with e-mail consolidated at the corporate level, it is
simply a bridge between the clients and devices expecting anonymous
access, and the corporate AD server, expecting proxy user.

PS: What devices?  Our multi-function printer/copiers also scan to
e-mail.  The MFP are configured to use the OpenLDAP servers as a Network
Addressbook.


-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of Paul Cantle
Sent: Tuesday, July 13, 2010 6:12 AM
To: Boomer Brainfood
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] sudoers and winbind

Hi,

If you want to browse the AD anonymously, then this article explaining
how to use ADSIEdit will probably help -
http://support.microsoft.com/kb/320528

Regards

Paul

-----Original Message-----
From: Boomer Brainfood [mailto:boomer at brainfood.homelinux.org] 
Sent: 13 July 2010 08:32
To: Paul Cantle
Cc: sudo-users at sudo.ws
Subject: RE: [sudo-users] sudoers and winbind

Hi,

thank you very much for your very interesting explanation. I will review
it as soon as I have a test AD controller.

Is using a proxy user the definitive solution ? I'd prefer anonymous
queries over a proxy user.

Sincerely
Bernhard


On Mon, July 12, 2010 17:44, Paul Cantle wrote:
> Apologies
>
> url should be uri
>
> rgds
>
> Paul
> ________________________________________
> From: sudo-users-bounces at courtesan.com 
> [sudo-users-bounces at courtesan.com]
> On Behalf Of Paul Cantle [paul at cantle.me]
> Sent: 12 July 2010 16:41
> To: Boomer Brainfood; sudo-users at sudo.ws
> Subject: Re: [sudo-users] sudoers and winbind
>
> Hi,
>
> This is my first post to this group so hope this helps.
>
> With regards to the AD integration:
>
> 1) I don't use winbind to integrate my Linux systems into AD (I use 
> krb and LDAP) so can't really comment on that part of it :-( Sorry.
>
> 2) By default, Active Directory (not sure what version you're using 
> (assuming 2003R2 or 2008)) does not allow anonymous queries. You can 
> either change that or add this into /etc/ldap.conf
>
> host x.x.x.x
> url ldap://your_dc.fqdn (or ldaps:// if that's applicable).
> base dc=your,dc=domain,dc=com
> binddn user at your.domain.com
> bindpw PlainTxtPw
>
> I'd make that user a "noddy" account with minimum AD privs. (sorry if 
> you're already doing this and I'm making out you don't know...it's not

> my intention).
>
> 3) With regards to the specific sudoers section - in /etc/ldap.conf
>
> sudoers_base ou=SUDOers,dc=your,dc=domain,dc=com
>
> 4) You'll need to convert your current (or a new) /etc/sudoers into 
> ldif format using the scripts provided in the sudo distro (they're not

> perfect at this stage), then import it into your AD by running 
> ldifde.exe on (one
> of) your Domain Controllers.
>
> 5) The NOPASSWD flag (in/etc/sudoers) is replaced with a
"!authenticate"
> flag in one of the sudoOption: attributes for the relevant sudoRole:. 
> On the flip-side "authenticate" is the same as the default of PASSWD 
> which is also placed in one of the sudoOption: attributes.
>
> You will need to add the AD users/groups (using "username" or
> "%groupname") into the sudoUser: attribute in the relevant group to 
> grant the permissions. To add additional users, groups, perms, etc 
> into sudoers once it's in the AD. You can use ADUC as per normal AD 
> management and then right click the groups in the SUDOers OU and then 
> select the attributes you want to manage. Once you save, changes take
effect straight away.
>
> Regardless of anonymous connections to the AD. Anyone on the system 
> can read /etc/ldap.conf (well, if they want to use the features that 
> it controls they'll need to), also, as all users are logged in via the

> AD anyway, by default, anyone could do an "ldapsearch", authenticate 
> as themselves and then view the SUDOers attributes (not sure if there 
> is a way to prevent this). So on that note, I don't know how you'd get

> the same perms as UNIX 400 root:root.
>
> Also, it's just worth noting that if your current /etc/sudoers uses 
> command_aliases then they'll not import into the AD and actually work.
> You'll need to list the absolute commands in the sudoCommand: 
> attributes (with the exception of the "ALL" alias, which works fine).
>
> I hope that helps a bit
>
> Paul
>
> ________________________________________
> From: sudo-users-bounces at courtesan.com 
> [sudo-users-bounces at courtesan.com]
> On Behalf Of Boomer Brainfood [boomer at brainfood.homelinux.org]
> Sent: 12 July 2010 15:34
> To: sudo-users at sudo.ws
> Subject: [sudo-users] sudoers and winbind
>
> Hello everybody,
>
> my company want's to integrate all Unix servers into active directory.
> For "normal" account management I decided more or less to go down the 
> winbind route.
> To have all information in one place, we also want to put sudoers in 
> the AD.
> Now the question is, how can I access the information ?
> I don't think, winbind can provide sudoers information.
> So, I guess I have to maintin a separate ldap.conf for sudo.
> But, how does sudo authenticate to the LDAP server (the user is 
> authenticated using pam and thus through winbind (unless NOPASSWD is
> defined))
> - somebody told me that AD doesn't support anonymous queries
> - if anonymous queries are possible, then sudoers becomes 
> world-readable, which is different from the local filesystem
>
> Sincerely
> Bernhard
>
>
>
> --
> Minds are like parachutes
> They only function when open
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws> For list information, 
> options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws> For list information, 
> options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>


--
When did I realize I was God?
Well, I was praying and I suddenly realized I was talking to myself.

____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users



More information about the sudo-users mailing list