[sudo-users] Solaris 10, AD authentication and sudo (excessive) AD group lookups
Todd C. Miller
Todd.Miller at sudo.ws
Thu Jun 14 07:07:07 MDT 2018
On Wed, 13 Jun 2018 17:18:24 -0000, Jeff Martin wrote:
> User belonging to many > 150 AD Groups, may not allow sudo to see the group s
> o lookup of %GROUP in sudoers fails with permission not allowed if group not
> in first 32 lookups.
>
> Solaris 10 SPARC
> Sudo 1.8.23
> Compiled on system default options
> Powerbroker Open AD authentication
>
> User belongs to 166 AD groups.
> Powerbroker sees 166 AD group memberships.
> Sudo sees 32 groups based on turning on sudo debug mode and checking the logs
> for # occurrences of "user is a member of ...."
Please try adding the following lines to your sudo.conf file:
Set group_source dynamic
Set max_groups 256
Sudo will query the nsswitch group provider for the user's groups,
but I don't know whether Powerbroker will exposes all groups or
just up to the system maximum.
- todd
More information about the sudo-users
mailing list