I wanted admins to authenticate in Debian (using 6 & 7) using domain accounts, so I created linuxadmins group in AD and added admins in there. Then I set up samba and winbind, joined to a domain. Of course, admins need superuser rights, so I added %linuxadmins to sudoers. Now things went odd.
SSH login works always with AD accounts (linuxadmin menbers), but AD admins couldn't always get "sudo su" (user not in sudoers error). Through 10+ servers.
Then I found out that getent group gives back all my AD groups and only linuxadmins has backslash in front of it. This was the only AD group with a backslash, shown in serverA.
Then I logged in (using same AD account as in serverA) to serverB, and sudo su worked. getent groups didn't show any backslashes in group names.
This behavior happens through all servers. I must remind that this is still ONLY group that has the problem. When I tried creating linuxadmins2, same things were happening.
As I said, SSH login with users belonging to linuxadmins always works. This is due to line in common-auth, pam.d
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login require_membership_of=linuxadmins try_first_pass
Maybe that causes my problems?
The same problem is in Debian 6 and Debian 7 servers, 32 and 64 bit.
I started looking from serverfault until I ended up here. There's maybe some information I missed here.
I forgot my workaround. I created 2 groups. ainuxadmins and linuxsudo. Now getent gives (usually but not alyways) results:
And it works. There are no ssh auth errors nor sudo su problems. But it is a workaround.
I don't see something like this with current samba/winbind releases. If you can still see such an issue with current 4.12 or later releases, please reopen and give detailled instructions to reproduce it.