[sudo-users] sudo ldap snow leopard 10.6
Todd C. Miller
Todd.Miller at courtesan.com
Fri Mar 23 09:55:32 EDT 2012
On Fri, 23 Mar 2012 11:52:57 -0000, Nicholas Lawrence wrote:
> If I setup a sudo user in adsi on the AD, this will work fine. The
> problem is we need to use groups (eg. %group) and this does not
> work for osx, but works perfectly for centos.
When you run the "groups" command as the user on osx (without sudo),
does it show the same group names you are using in your sudoers
rules?
What version of sudo are you using on centos? There was a change
to how group matching was done in sudo 1.8.2. From the upgrade
notes:
When matching Unix groups in the sudoers file, sudo will now
match based on the name of the group as it appears in sudoers
instead of the group ID. This can substantially reduce the
number of group lookups for sudoers files that contain a large
nummber of groups. There are a few side effects of this change.
1) Unix groups with different names but the same group ID are
can no longer be used interchangably. Sudo will look up all
of a user's groups by group ID and use the resulting group
names when matching sudoers entries. If there are multiple
groups with the same ID, the group name returned by the
system getgrgid() library function is the name that will be
used when matching sudoers entries.
2) Unix group names specified in the sudoers file that are
longer than the system maximum will no longer match. For
instance, if there is a Unix group "fireflie" on a system
where group names are limited to eight characters, "%fireflies"
in sudoers will no longer match "fireflie". Previously, a
lookup by name of the group "fireflies" would have matched
the "fireflie" group on most systems.
This can have ramifications on groups in AD if, for example, the
group name in sudoers includes the domain but the group name on the
Unix host does not.
- todd
More information about the sudo-users
mailing list