AIX Open Source

 View Only

  • 1.  Issues with sudo for winbind user %groups

    Posted Tue February 27, 2024 08:41 PM

    Im using winbind to authenticate users. They can log in fine, groups 'appear' to come through from AD, and everything looks "good":

    root@NIMHOST:/root # ssh exampleuser@HOSTNAME
Unauthorized use of this system is prohibited.
exampleuser@HOSTNAME's password:

exampleuser@HOSTNAME:/home/XX/exampleuser #
exampleuser@HOSTNAME:/home/XX/exampleuser # id
uid=1015621(someuser) gid=1000513(domain_users) groups=1015621(someuser),1040303(redacted),1017368(redacted),1017264(redacted),1013233(redacted),1040140(redacted),1064645(redacted),1071628(GROUP_THAT_MATTERS),1005522(redacted),1021466(redacted),1047111(redacted),1016735(redacted),1070984(redacted),1041417(redacted),1042453(redacted),1060935(redacted),1036101(redacted),1012177(redacted),10001(ZZ\redacted),10000(ZZ\redacted),1071419(redacted),1041139(redacted),1062768(redacted),10003(BUILTIN\users)
exampleuser@HOSTNAME:/home/XX/exampleuser #
exampleuser@HOSTNAME:/home/XX/exampleuser # groups
exampleuser domain_users {{many redacted, same as id}}}}
exampleuser@HOSTNAME:/home/XX/exampleuser #
exampleuser@HOSTNAME:/home/XX/exampleuser # whoami
exampleuser
exampleuser@HOSTNAME:/home/XX/exampleuser #

    /etc/samba/smb.conf:

    [global]
   ## Domain+Network settings
   realm = xx.foo.bardomain
   workgroup = xx
   security = ads
   password server = *
   socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15

   ## Winbind settings
   winbind normalize names = yes
   winbind nested groups = yes
   winbind refresh tickets = yes
   ## I tested with and without a default domain, same deal
   winbind use default domain = yes
   ## Added enum for testing, these arent always enabled
   winbind enum users = yes
   winbind enum groups = yes

   ## Template settings
   # set the shell to /usr/bin/ksh93 (if blank, it defaults to /bin/false)
   template shell = /usr/bin/ksh93

   ## idmaps
   idmap config * : backend = tdb
   idmap config * : range = 10000-200000
   # RID id mappings for domain users
   # idmapping for xx.foo.bardomain
   idmap config XX: backend = rid
   idmap config XX: range = 1000000-1999999
   # idmapping for zz.foo.bardomain
   idmap config ZZ: backend = rid
   idmap config ZZ: range = 2000000-2999999

    This is working fine. Users can log in, and I can query them:

    root@HOSTNAME:/root/ # lsuser someuser
someuser id=1015621 pgrp=domain_users groups=1015621,1000513,1040303,1017368,1017264,1013233,1040140,1064645,1071628,1005522,1021466,1047111,1016735,1070984,1041417,1042453,1060935,1036101,1012177,10001,10000,1071419,1041139,1062768,10003 home=/home/XX/someuser shell=/usr/bin/ksh93 gecos=User Name login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=WINBIND SYSTEM=WINBIND or compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minloweralpha=0 minupperalpha=0 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist=/usr/share/dict/words core_compress=on default_roles= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 time_last_login=1709077361 time_last_unsuccessful_login=1709007629 tty_last_login=ssh tty_last_unsuccessful_login=ssh host_last_login=127.0.0.1 host_last_unsuccessful_login=127.0.0.1 unsuccessful_login_count=0 roles= pgid=1000513 groupsids=1015621,1000513,1040303,1017368,1017264,1013233,1040140,1064645,1071628,1005522,1021466,1047111,1016735,1070984,1041417,1042453,1060935,1036101,1012177,10001,10000,1071419,1041139,1062768,10003 SID=
root@HOSTNAME:/root/ # groups someuser
groups: 'someuser': no such user

root@USSIGATXAPO002D:/root/ # ssh someuser@HOSTNAME
Unauthorized use of this system is prohibited.
someuser@HOSTNAME's password:
someuser@USSIGATXAPO002D:/home/XX/someuser #

someuser@HOSTNAME:/home/US/someuser # id
uid=1015621(someuser) gid=1000513(domain_users) groups=1015621(someuser),1040303(redacted),1017368(redacted),1017264(redacted),1013233(redacted),1040140(redacted),1064645(redacted),1071628(GROUP_THAT_MATTERS),1005522(redacted),1021466(redacted),1047111(redacted),1016735(redacted),1070984(redacted),1041417(redacted),1042453(redacted),1060935(redacted),1036101(redacted),1012177(redacted),10001(ZZ\redacted),10000(ZZ\redacted),1071419(redacted),1041139(redacted),1062768(redacted),10003(BUILTIN\users)

    Sudoers works fine for the local groups, and the users in AD, but does not work for any of the groups in AD.

    I have attempted with domain, without, all of the following:

    # tail /etc/sudoers

User_Alias SYSADM = %GROUP_THAT_MATTERS, %US\\GROUP_THAT_MATTERS, "US\GROUP_THAT_MATTERS", "%GROUP_THAT_MATTERS", %1071628
SYSADM ALL=(ALL) NOPASSWD: ALL

username ALL=(ALL) NOPASSWD: ALL


    # sudo -lU some_user_in_SYSADM
User some_user_in_SYSADM is not allowed to run sudo on HOSTNAME.


# sudo -lU username
Matching Defaults entries for usernameon HOSTNAME:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User username may run the following commands on HOSTNAME:
    (ALL) NOPASSWD: ALL

    Not sure if I'm missing something obvious, or if sudo+winbind+groups is just having some weird issues?

    Any help would be greatly appreciated.



    ------------------------------
    David Little
    ------------------------------


  • 2.  RE: Issues with sudo for winbind user %groups

    IBM Champion
    Posted Wed February 28, 2024 04:17 AM

    Hi David,

    can you please specify which AIX version (oslevel -s) and sudo version (sudo -V) do you use? The problem can be in AIX, in sudo and in your configuration.

    See e.g. some similar topics:

    https://community.ibm.com/community/user/power/discussion/sudo-part-2

    https://community.ibm.com/community/user/power/discussion/sudo-users-from-ldap-with-local-groups

    You can switch on sudo debug logs and trace the reason of the problem.

    https://www.sudo.ws/docs/readme/readme_ldap/



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


  • 3.  RE: Issues with sudo for winbind user %groups

    Posted Wed February 28, 2024 05:58 PM
    Thanks Andrey.  I did read through those threads, and both were inconclusive.  It's important to note that I'm using Winbind for auth, not LDAP.  (I have a sneaking suspicion this is AIX not liking Winbind being 32 bit, and the getgr*() functions are not working)
    I'm also struggling with the sudo debugging, I'll do some more reading to figure out how to turn that on
    # oslevel -s
7200-05-07-2346


# emgr -l
ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT
=== ===== ========== ================= ========== ======================================
1    S    IJ49093s7  01/29/24 22:32:17            IJ49093 for AIX 7.2 TL5 SP5 to SP7
2    S    38408m9b   01/29/24 22:32:39            Ifix for openssh vulnerabilities


# sudo -V
Sudo version 1.9.14p3
Configure options: --prefix=/opt/freeware --sbindir=/opt/freeware/sbin --libdir=/opt/freeware/lib --mandir=/opt/freeware/man --libexecdir=/opt/freeware/libexec --with-logging=syslog --with-logfac=auth --with-pam --with-pam-login --with-env-editor --with-ignore-dot --with-aixauth --disable-year2038 --with-tty-tickets --with-ldap=/opt/freeware --with-ldap-conf-file=/opt/freeware/etc/openldap/ldap.conf
Sudoers policy plugin version 1.9.14p3
Sudoers file grammar version 50


    ------------------------------
    David Little
    ------------------------------

    Original Message


  • 4.  RE: Issues with sudo for winbind user %groups

    Posted Sun March 03, 2024 09:50 PM

    Hey Andrey, I do see you had a similar issue 2 years ago in those threads.  Did you ever reach a resolution?

    I have done some local testing, and found that if I create a local AIX user with the same group id (not just name), it works fine. Less than ideal, but will get me across the line for now.

    # mkgroup id=1543 test_sudo_group

# sudo -l -U testuser
User testuser is not allowed to run sudo on HOSTNAME.

# su - testuser

$ id
uid=1015621(REDACTED) gid=1000513(REDACTED) groups=1071628(test_sudo_group)
$ groups
testuser redactedgroups test_sudo_group

# rmgroup test_sudo_group

# mkgroup id=1071628 test_sudo_group

# sudo -l -U testuser
Matching Defaults entries for testuser on HOSTNAME:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User testuser may run the following commands on HOSTNAME:
    (ALL) NOPASSWD: ALL


    ------------------------------
    David Little
    ------------------------------

    Original Message


  • 5.  RE: Issues with sudo for winbind user %groups

    IBM Champion
    Posted Mon March 04, 2024 06:24 AM

    Hi David,

    I remember that the problem was solved. But unfortunately (ashes on my head) I didn't document it and I can't remember it anymore. If I find it, I'll post it here.



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message