06-03-2008
Enable sudo for Win AD users authenticated with Linux samba winbind service
Hi everyone,
I wonder if anyone ever came across the idea of unifying AD and Linux user accounts
We have a Linux machine with 'samba' 'winbind' service configured to let Windows AD users to logon locally using their AD accounts and passwords.
I can use 'su' to get to the local user privilege level, but it would be nice to have the same AD account be able to use sudo commands, but not rely on local Linux account password 'su' based on. Is any way to grant these Windows AD users certain permissions to run certain commands on the Linux machine using sudo(ers) and use only AD account passwords. I see a big security advantage of doing this in companies with heterogeneous OS.
[DEVDOM\test@rh4sandbox2 ~]$ sudo -l
Password:
Sorry, user DEVDOM\test may not run sudo on rh4sandbox2.
I tried to add the user to sudoers but any time I check if sudo works for the user it brings error in /var/log/messages
Jun 2 16:41:09 rh4sandbox2 sudo(pam_unix)[683]: authentication failure; logname=DEVDOM\test uid=0 euid=0 tty=pts/3 ruser= rhost= user=DEVDOM\test
there should be two backslashes \\ after domain name DEVDOM\\test
the question closed
Last edited by will_mike; 06-10-2008 at 06:40 PM..
Reason: found the solution
8 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
I am trying to set samba up to join my windows 2000 domain and I am having troubles
If anyone if familiar with this help would be greatly appreciated
I issue the following command
# ./smbpasswd -j DOMAIN -r DOMAINCONTROLER
And the following gets returned
load_client_codepage: filename... (4 Replies)
Discussion started by: gennaro
4 Replies
2. Cybersecurity
Hi all,
I am trying to enable samba access to administrator. I have added the user, but i am not able to login as administrator. But for other users i am able to login. Can anyone help me out in fixing this.
Thank You in advance. (1 Reply)
Discussion started by: kymthasneem
1 Replies
3. Solaris
Hi all,
can any one guide me to configure samba services on solaries8 machine and how to use at the client side (i,e) how the client can retrive the data using samba services.
Thanks
venky (2 Replies)
Discussion started by: venky_vemuri
2 Replies
4. SCO
Hi all.
I'm having real trouble authenticating users against active directory for my SCO UnixWare 7.1.4 box running samba 3.0.24 (installed via Maintenance pack 4). I can list AD users/groups (after overcoming several hiccups) with wbinfo -g / wbinfo -u. I can use id to get a view an ad user ie:... (0 Replies)
Discussion started by: silk600
0 Replies
5. Web Development
Hi everyone.
Im really new here, so please have patience with me if i act out of order in any way. I do have some unix experience, but i would not call it extensive.
The problem i am about to describe probably have a easy solution, but i have been unable to find it while speaking to Mr.Google... (4 Replies)
Discussion started by: antiw2k3
4 Replies
6. Red Hat
Hi,
I have recently taken control of a number of RHEL5.3 servers that have samba shares setup on them and are authenticating using pam and winbind. My issue is that any user that has an active directory account can currently log in to the linux boxes using their ad credentials. I need to... (0 Replies)
Discussion started by: klyne
0 Replies
7. Red Hat
Hi,
We now have a Samba or Winbind issue. The Linux client under RHEL6 can not get Windows' AD sub-domain info. See the following output please. The main domain 'Global' is shown online, but the sub-domain 'Europe' and 'Asia' are shown offline although they are online.
Commands 'wbinfo -u' and... (0 Replies)
Discussion started by: aixlover
0 Replies
8. AIX
Hi all,
I have installed samba 3.6.22 on AIX 7.1 and join a windows AD with success.
All seem to work fine, I have configured smb.conf, methods.cfg, kerberos, user .... the following command work fine wbinfo -u, wbinfo -g, wbinfo -i, wbinfo -s, wbinfo -S, lsuser, id...
The unique... (20 Replies)
Discussion started by: PhilippeA
20 Replies
LEARN ABOUT CENTOS
pam_timestamp
PAM_TIMESTAMP(8) Linux-PAM Manual PAM_TIMESTAMP(8)
NAME
pam_timestamp - Authenticate using cached successful authentication attempts
SYNOPSIS
pam_timestamp.so [timestamp_timeout=number] [verbose] [debug]
DESCRIPTION
In a nutshell, pam_timestamp caches successful authentication attempts, and allows you to use a recent successful attempt as the basis for
authentication. This is similar mechanism which is used in sudo.
When an application opens a session using pam_timestamp, a timestamp file is created in the timestampdir directory for the user. When an
application attempts to authenticate the user, a pam_timestamp will treat a sufficiently recent timestamp file as grounds for succeeding.
OPTIONS
timestamp_timeout=number
How long should pam_timestamp treat timestamp as valid after their last modification date (in seconds). Default is 300 seconds.
verbose
Attempt to inform the user when access is granted.
debug
Turns on debugging messages sent to syslog(3).
MODULE TYPES PROVIDED
The auth and session module types are provided.
RETURN VALUES
PAM_AUTH_ERR
The module was not able to retrieve the user name or no valid timestamp file was found.
PAM_SUCCESS
Everything was successful.
PAM_SESSION_ERR
Timestamp file could not be created or updated.
NOTES
Users can get confused when they are not always asked for passwords when running a given program. Some users reflexively begin typing
information before noticing that it is not being asked for.
EXAMPLES
auth sufficient pam_timestamp.so verbose
auth required pam_unix.so
session required pam_unix.so
session optional pam_timestamp.so
FILES
/var/run/sudo/...
timestamp files and directories
SEE ALSO
pam_timestamp_check(8), pam.conf(5), pam.d(5), pam(8)
AUTHOR
pam_timestamp was written by Nalin Dahyabhai.
Linux-PAM Manual 09/19/2013 PAM_TIMESTAMP(8)