I have a problem that occasionally apprears-dissapears and it drives me nuts.
My Debian servers are authenticated against AD and only "linuxadmins" group member can SSH to server and "sudo su".
SSH login works, no problems in there but users are getting errors "user xyz is not in sudoers " while using sudo
my /etc/sudoers contains AD group name
%linuxadmins ALL =(ALL) ALL
And samba conf
#GLOBAL PARAMETERS
[global]
workgroup = RKAS
realm = RKAS.RK
preferred master = no
server string = SEP DEV Server
security = ADS
encrypt passwords = true
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
#winbind separator = +
#idmap uid = 600-20000
#idmap gid = 600-20000
;template primary group = "Domain Users"
template shell = /bin/bash
template homedir = /home/%D/%U
winbind offline logon = yes
winbind refresh tickets = yes
The problem lies in group's separator that samba handles.
getent group | grep linuxadmins
gives back two different results in between few minutes
linuxadmins:x:784:xyz
or
\linuxadmins:x:784:xyz
Users are only able to sudo if there's no baskslash.
What's wrong? I cannot understand why it constantly adding backslash and removing it in the group names?
common-account:
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
account required pam_permit.so
common-auth:
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login require_membership_of=linuxadmins try_first_pass
auth required pam_permit.so
and no common-system, only session
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
I must add that this behavior is happening through all linux servers
Best Answer
Right, so actually idmap uid range is deprecated, but it got replaced with this:
See, what I think is happening.. Is that samba (and associated modules) doesn't know how to assign the right id/uid to a user.
I'd drop those 3 lines into
/etc/samba/smb.conf
, Wipe out the samba cache files (they all get recreated)rm -rf /var/lib/samba/*
Restart all the samba services,winbindd
,smbd
,nmbd
and then have a go withwbinfo -u
,wbinfo -g
,wbinfo -i $id
You'll also want to make sure that all the users and groups have uidNumbers and gidNumbers (Active Directory Administrative Center, right click a user, open properties, find the Attribute Editor, set uidnumber and gidnumber if they're not already set).
You also need to have a gidNumber for groups up the tree, including Domain Users.