[sudo-users] Solaris 10, AD authentication and sudo (excessive) AD group lookups

Jeff Martin Jeff.Martin at panasonic.aero
Thu Jun 14 10:53:18 MDT 2018

That seems to have done the trick. Sudo sees all 166 AD groups. Appreciate the quick response.


-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at sudo.ws] 
Sent: Thursday, June 14, 2018 6:07 AM
To: Jeff Martin <Jeff.Martin at panasonic.aero>
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] Solaris 10, AD authentication and sudo (excessive) AD group lookups

On Wed, 13 Jun 2018 17:18:24 -0000, Jeff Martin wrote:

> User belonging to many > 150 AD Groups, may not allow sudo to see the 
> group s o lookup of %GROUP in sudoers fails with permission not 
> allowed if group not in first 32 lookups.
> Solaris 10 SPARC
> Sudo 1.8.23
> Compiled on system default options
> Powerbroker Open AD authentication
> User belongs to 166 AD groups.
> Powerbroker sees 166 AD group memberships.
> Sudo sees 32 groups based on turning on sudo debug mode and checking 
> the logs  for # occurrences of "user is a member of ...."

Please try adding the following lines to your sudo.conf file:

Set group_source dynamic
Set max_groups 256

Sudo will query the nsswitch group provider for the user's groups, but I don't know whether Powerbroker will exposes all groups or just up to the system maximum.

 - todd

More information about the sudo-users mailing list