[sudo-users] Solaris 10, AD authentication and sudo (excessive) AD group lookups

Todd C. Miller Todd.Miller at sudo.ws
Thu Jun 14 07:07:07 MDT 2018

On Wed, 13 Jun 2018 17:18:24 -0000, Jeff Martin wrote:

> User belonging to many > 150 AD Groups, may not allow sudo to see the group s
> o lookup of %GROUP in sudoers fails with permission not allowed if group not 
> in first 32 lookups.
> Solaris 10 SPARC
> Sudo 1.8.23
> Compiled on system default options
> Powerbroker Open AD authentication
> User belongs to 166 AD groups.
> Powerbroker sees 166 AD group memberships.
> Sudo sees 32 groups based on turning on sudo debug mode and checking the logs
>  for # occurrences of "user is a member of ...."

Please try adding the following lines to your sudo.conf file:

Set group_source dynamic
Set max_groups 256

Sudo will query the nsswitch group provider for the user's groups,
but I don't know whether Powerbroker will exposes all groups or
just up to the system maximum.

 - todd

More information about the sudo-users mailing list