Bug 9999 - Odd behaviour in domain group names
Odd behaviour in domain group names
Status: NEW
Product: Samba 3.5
Classification: Unclassified
Component: Winbind
3.5.6
x64 Other
: P5 normal
: ---
Assigned To: Michael Adam
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-05 05:53 UTC by martinvonlall
Modified: 2013-07-05 05:57 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description martinvonlall 2013-07-05 05:53:35 UTC
Hi,

I wanted admins to authenticate in Debian (using 6 & 7) using domain accounts, so I created linuxadmins group in AD and added admins in there. Then I set up samba and winbind, joined to a domain. Of course, admins need superuser rights, so I added %linuxadmins to sudoers. Now things went odd.
 
SSH login works always with AD accounts (linuxadmin menbers), but AD admins couldn't always get "sudo su" (user not in sudoers error). Through 10+ servers.

Then I found out that getent group gives back all my AD groups and only linuxadmins has backslash in front of it. This was the only AD group with a backslash, shown in serverA.
Then I logged in (using same AD account as in serverA) to serverB, and sudo su worked. getent groups didn't show any backslashes in group names.

This behavior happens through all servers. I must remind that this is still ONLY group that has the problem. When I tried creating linuxadmins2, same things were happening.


As I said, SSH login with users belonging to linuxadmins always works. This is due to line in common-auth, pam.d

auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login require_membership_of=linuxadmins try_first_pass

Maybe that causes my problems?

The same problem is in Debian 6 and Debian 7 servers, 32 and 64 bit.



I started looking from serverfault until I ended up here. There's maybe some information I missed here.
http://serverfault.com/questions/520780/winbind-separator-and-group-name-behavior-in-getent-group-constantly-changing
Comment 1 martinvonlall 2013-07-05 05:57:45 UTC
I forgot my workaround. I created 2 groups. ainuxadmins and linuxsudo. Now getent gives (usually but not alyways) results:
linuxsudo
\linuxadmins

And it works. There are no ssh auth errors nor sudo su problems. But it is a workaround.