nested groups not working with sudo and winbind
in [Samba]
|
From: Gerald (Jerry) Carter on 23 Apr 2008 14:50 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Bailey wrote: > Howdy folks, > > I'm having an issue with sudo not recognizing nested groups > via AD and winbind. I have an AD group called UnixAdmins and > when I ad and AD account *directly* into this group, I am able > to use sudo just fine as it is in the sudoers. *but* say I > have a nested group in UnixAdmins like CustomerUsers or whatnot > it won't recognize. Now, I also restrict access via pam.d systems-auth > to UnixAdmins, so I know that part it working. Also, when I run > and "id" it shows the proper groups. It's just seems sudo won't > recognize the nested groups :-( > > Anyone run into this issue before? It's gonna be an admin nightmare > just to populate UnixAdmins with individual accounts .. This was fixed in the upcoming 3.2 release. See the "winbind expand groups" option. cheers, jerry - -- ===================================================================== Samba ------- http://www.samba.org Likewise Software --------- http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFID4KqIR7qMdg1EfYRAgt2AJ93S4Ui1BCaODky99o5QOj9YHUE9gCg4fVD w69AwDShdPp6xQGFeZmTUSA= =Nu+h -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
From: Glenn Bailey on 23 Apr 2008 17:40 >> I'm having an issue with sudo not recognizing nested groups via AD and >> winbind. I have an AD group called UnixAdmins and when I ad and AD >> account *directly* into this group, I am able to use sudo just fine as >> it is in the sudoers. *but* say I have a nested group in UnixAdmins >> like CustomerUsers or whatnot it won't recognize. Now, I also restrict >> access via pam.d systems-auth to UnixAdmins, so I know that part it >> working. Also, when I run and "id" it shows the proper groups. It's >> just seems sudo won't recognize the nested groups :-( >> >> Anyone run into this issue before? It's gonna be an admin nightmare >> just to populate UnixAdmins with individual accounts .. > This was fixed in the upcoming 3.2 release. See the "winbind expand groups" option. is there anyway to patch 3.0.28a to allow for this? or any kind of workaround? Glenn E. Bailey III terremark worldwide -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
From: Gerald (Jerry) Carter on 24 Apr 2008 09:10 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Bailey wrote: |>> I'm having an issue with sudo not recognizing nested groups via AD and |>> winbind. I have an AD group called UnixAdmins and when I ad and AD |>> account *directly* into this group, I am able to use sudo just fine as |>> it is in the sudoers. *but* say I have a nested group in UnixAdmins |>> like CustomerUsers or whatnot it won't recognize. Now, I also restrict |>> access via pam.d systems-auth to UnixAdmins, so I know that part it |>> working. Also, when I run and "id" it shows the proper groups. It's |>> just seems sudo won't recognize the nested groups :-( |>> |>> Anyone run into this issue before? It's gonna be an admin nightmare |>> just to populate UnixAdmins with individual accounts .. | |> This was fixed in the upcoming 3.2 release. See the "winbind expand groups" option. | | is there anyway to patch 3.0.28a to allow for this? or | any kind of workaround? Not officially. Are you running a file server? Or just using Winbind to authenticate logons? I originally did the work in Likewise's Winbind tree and pushed it upstream. So it has been shipping in Likewise Open [1] for a while. [1] http://www.likewisesoftware.com/community/ cheers, jerry - -- ===================================================================== Samba ------- http://www.samba.org Likewise Software --------- http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIEITKIR7qMdg1EfYRArWoAJ46Dit2T0nwcYwzs9aiZAwrP5bb9QCfQJyS ZznswpSiZQkmjPy2fA+CrNQ= =72M+ -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
Pages: 1 Prev: Broken symlink inside a folder Next: [Samba] Group mapping question |