I remember that the problem was solved. But unfortunately (ashes on my head) I didn't document it and I can't remember it anymore. If I find it, I'll post it here.
Original Message:
Sent: Sun March 03, 2024 09:50 PM
From: David Little
Subject: Issues with sudo for winbind user %groups
Hey Andrey, I do see you had a similar issue 2 years ago in those threads. Did you ever reach a resolution?
I have done some local testing, and found that if I create a local AIX user with the same group id (not just name), it works fine. Less than ideal, but will get me across the line for now.
# mkgroup id=1543 test_sudo_group# sudo -l -U testuserUser testuser is not allowed to run sudo on HOSTNAME.# su - testuser$ iduid=1015621(REDACTED) gid=1000513(REDACTED) groups=1071628(test_sudo_group)$ groupstestuser redactedgroups test_sudo_group# rmgroup test_sudo_group# mkgroup id=1071628 test_sudo_group# sudo -l -U testuserMatching Defaults entries for testuser on HOSTNAME: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/binUser testuser may run the following commands on HOSTNAME: (ALL) NOPASSWD: ALL
------------------------------
David Little
Original Message:
Sent: Wed February 28, 2024 04:17 AM
From: Andrey Klyachkin
Subject: Issues with sudo for winbind user %groups
Hi David,
can you please specify which AIX version (oslevel -s) and sudo version (sudo -V) do you use? The problem can be in AIX, in sudo and in your configuration.
See e.g. some similar topics:
https://community.ibm.com/community/user/power/discussion/sudo-part-2
https://community.ibm.com/community/user/power/discussion/sudo-users-from-ldap-with-local-groups
You can switch on sudo debug logs and trace the reason of the problem.
https://www.sudo.ws/docs/readme/readme_ldap/
------------------------------
Andrey Klyachkin
https://www.power-devops.com
Original Message:
Sent: Tue February 27, 2024 08:41 PM
From: David Little
Subject: Issues with sudo for winbind user %groups
Im using winbind to authenticate users. They can log in fine, groups 'appear' to come through from AD, and everything looks "good":
root@NIMHOST:/root # ssh exampleuser@HOSTNAMEUnauthorized use of this system is prohibited.exampleuser@HOSTNAME's password:exampleuser@HOSTNAME:/home/XX/exampleuser #exampleuser@HOSTNAME:/home/XX/exampleuser # iduid=1015621(someuser) gid=1000513(domain_users) groups=1015621(someuser),1040303(redacted),1017368(redacted),1017264(redacted),1013233(redacted),1040140(redacted),1064645(redacted),1071628(GROUP_THAT_MATTERS),1005522(redacted),1021466(redacted),1047111(redacted),1016735(redacted),1070984(redacted),1041417(redacted),1042453(redacted),1060935(redacted),1036101(redacted),1012177(redacted),10001(ZZ\redacted),10000(ZZ\redacted),1071419(redacted),1041139(redacted),1062768(redacted),10003(BUILTIN\users)exampleuser@HOSTNAME:/home/XX/exampleuser #exampleuser@HOSTNAME:/home/XX/exampleuser # groupsexampleuser domain_users {{many redacted, same as id}}}}exampleuser@HOSTNAME:/home/XX/exampleuser #exampleuser@HOSTNAME:/home/XX/exampleuser # whoamiexampleuserexampleuser@HOSTNAME:/home/XX/exampleuser #
/etc/samba/smb.conf:
[global] ## Domain+Network settings realm = xx.foo.bardomain workgroup = xx security = ads password server = * socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15 ## Winbind settings winbind normalize names = yes winbind nested groups = yes winbind refresh tickets = yes ## I tested with and without a default domain, same deal winbind use default domain = yes ## Added enum for testing, these arent always enabled winbind enum users = yes winbind enum groups = yes ## Template settings # set the shell to /usr/bin/ksh93 (if blank, it defaults to /bin/false) template shell = /usr/bin/ksh93 ## idmaps idmap config * : backend = tdb idmap config * : range = 10000-200000 # RID id mappings for domain users # idmapping for xx.foo.bardomain idmap config XX: backend = rid idmap config XX: range = 1000000-1999999 # idmapping for zz.foo.bardomain idmap config ZZ: backend = rid idmap config ZZ: range = 2000000-2999999
This is working fine. Users can log in, and I can query them:
root@HOSTNAME:/root/ # lsuser someusersomeuser id=1015621 pgrp=domain_users groups=1015621,1000513,1040303,1017368,1017264,1013233,1040140,1064645,1071628,1005522,1021466,1047111,1016735,1070984,1041417,1042453,1060935,1036101,1012177,10001,10000,1071419,1041139,1062768,10003 home=/home/XX/someuser shell=/usr/bin/ksh93 gecos=User Name login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=WINBIND SYSTEM=WINBIND or compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minloweralpha=0 minupperalpha=0 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist=/usr/share/dict/words core_compress=on default_roles= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 time_last_login=1709077361 time_last_unsuccessful_login=1709007629 tty_last_login=ssh tty_last_unsuccessful_login=ssh host_last_login=127.0.0.1 host_last_unsuccessful_login=127.0.0.1 unsuccessful_login_count=0 roles= pgid=1000513 groupsids=1015621,1000513,1040303,1017368,1017264,1013233,1040140,1064645,1071628,1005522,1021466,1047111,1016735,1070984,1041417,1042453,1060935,1036101,1012177,10001,10000,1071419,1041139,1062768,10003 SID=root@HOSTNAME:/root/ # groups someusergroups: 'someuser': no such userroot@USSIGATXAPO002D:/root/ # ssh someuser@HOSTNAMEUnauthorized use of this system is prohibited.someuser@HOSTNAME's password:someuser@USSIGATXAPO002D:/home/XX/someuser #someuser@HOSTNAME:/home/US/someuser # iduid=1015621(someuser) gid=1000513(domain_users) groups=1015621(someuser),1040303(redacted),1017368(redacted),1017264(redacted),1013233(redacted),1040140(redacted),1064645(redacted),1071628(GROUP_THAT_MATTERS),1005522(redacted),1021466(redacted),1047111(redacted),1016735(redacted),1070984(redacted),1041417(redacted),1042453(redacted),1060935(redacted),1036101(redacted),1012177(redacted),10001(ZZ\redacted),10000(ZZ\redacted),1071419(redacted),1041139(redacted),1062768(redacted),10003(BUILTIN\users)
Sudoers works fine for the local groups, and the users in AD, but does not work for any of the groups in AD.
I have attempted with domain, without, all of the following:
# tail /etc/sudoersUser_Alias SYSADM = %GROUP_THAT_MATTERS, %US\\GROUP_THAT_MATTERS, "US\GROUP_THAT_MATTERS", "%GROUP_THAT_MATTERS", %1071628SYSADM ALL=(ALL) NOPASSWD: ALLusername ALL=(ALL) NOPASSWD: ALL
# sudo -lU some_user_in_SYSADMUser some_user_in_SYSADM is not allowed to run sudo on HOSTNAME.# sudo -lU usernameMatching Defaults entries for usernameon HOSTNAME: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/binUser username may run the following commands on HOSTNAME: (ALL) NOPASSWD: ALL
Not sure if I'm missing something obvious, or if sudo+winbind+groups is just having some weird issues?
Any help would be greatly appreciated.
------------------------------
David Little
------------------------------