Here you go my man: drew.pat...@net-ann-sv-13:~$ /opt/likewise/bin/lw-find-user-by-name --level 2 "domain.local\drew.patten" User info (Level-2): ==================== Name: drew.patten SID: S-1-5-21-587819492-3587137056-2399155095-1109 UPN: drew.pat...@domain.local Generated UPN: NO Uid: 1872233557 Gid: 1872232961 Gecos: Drew Patten Shell: /bin/sh Home dir: /home/local/domain/drew.patten LMHash length: 0 NTHash length: 0 Local User: NO Account disabled: FALSE Account Expired: FALSE Account Locked: FALSE Password never expires: TRUE Password Expired: FALSE Prompt for password change: YES User can change password: YES Days till password expires: 0
drew.pat...@net-ann-sv-13:~$ /opt/likewise/bin/lw-find-group-by-name --level 1 "domain.local\domain^admins" Group info (Level 1): ==================== Name: domain^admins Gid: 1872232960 SID: S-1-5-21-587819492-3587137056-2399155095-512 Members: ........ ........ ........ ........ Members Count: 5 r...@net-ann-sv-13:/home/local/domain/drew.patten# grep -i "not found" /var/log/messages r...@net-ann-sv-13:/home/local/domain/drew.patten# -----Original Message----- From: Justin Pittman [mailto:jpitt...@likewise.com] Sent: Tuesday, April 28, 2009 4:16 PM To: Drew Patten Cc: likewise-open-discuss@lists.likewisesoftware.com Subject: RE: [Likewise-open-discuss] SUDO Access The dot is somewhat worrisome, although it's included in the NetBIOS character set it may not be parsed correctly. Assuming this is Linux, what do the following return: id "DOMAIN.LOCAL\drew.patton" /opt/likewise/bin/lw-find-user-by-name --level 2 "DOMAIN.LOCAL\drew.patton" /opt/likewise/bin/lw-find-group-by-name --level 1 "DOMAIN.LOCAL\domain^admins" grep -i "not found" /var/log/messages Justin -----Original Message----- From: Drew Patten [mailto:dpat...@netcordia.com] Sent: Tuesday, April 28, 2009 4:06 PM To: Justin Pittman; Briguglio, Frank (10421) Cc: likewise-open-discuss@lists.likewisesoftware.com Subject: RE: [Likewise-open-discuss] SUDO Access Which is exactly what I have: %DOMAIN.LOCAL\\domain^admins ALL=(ALL) ALL %DOMAIN.LOCAL\\Linux ALL=(ALL) ALL $ id uid=1872233557(drew.patten) gid=1872232961(domain^users) groups=1872232960(domain^admins),1872232961(domain^users),1872232966(sch ema^admins),1872232967(enterprise^admins),1872232968(group^policy^creato r^owners),1872233697(itops),1872233733(rsa_supervisor),1872234185(inform ation^technology),1872234208(linux) drew.pat...@net-ann-sv-13:~$ su drew.patten No luck, have to 'su' to gain root access. -----Original Message----- From: Justin Pittman [mailto:jpitt...@likewise.com] Sent: Tuesday, April 28, 2009 3:56 PM To: Drew Patten; Briguglio, Frank (10421) Cc: likewise-open-discuss@lists.likewisesoftware.com Subject: RE: [Likewise-open-discuss] SUDO Access The previous post was a working syntax for group membership. %MYDOMAIN\\MyLinuxAdminGroup ALL=(ALL) ALL You'd have to replace the domain and group with actual names from AD. If that doesn't work, then the help file has several suggestions and troubleshooting techniques for sudo, id, etc. Justin -----Original Message----- From: likewise-open-discuss-boun...@lists.likewisesoftware.com [mailto:likewise-open-discuss-boun...@lists.likewisesoftware.com] On Behalf Of Drew Patten Sent: Tuesday, April 28, 2009 3:27 PM To: Briguglio, Frank (10421) Cc: likewise-open-discuss@lists.likewisesoftware.com Subject: Re: [Likewise-open-discuss] SUDO Access I tried getting this to work with the latest version and didn't have any luck. I was never able to grant an AD account root access, to this day I have to 'su' to gain it. Can you copy/paste the line in you sudoer's file so I can take a look at the syntax? -----Original Message----- From: likewise-open-discuss-boun...@lists.likewisesoftware.com [mailto:likewise-open-discuss-boun...@lists.likewisesoftware.com] On Behalf Of Briguglio, Frank (10421) Sent: Tuesday, April 28, 2009 3:23 PM To: Justin Pittman Cc: likewise-open-discuss@lists.likewisesoftware.com Subject: Re: [Likewise-open-discuss] SUDO Access I added something like %MYDOMAIN\\MyLinuxAdminGroup ALL=(ALL) ALL to the sudoers file via visudo and it works great for the proof of concept I was trying to achieve. -- Frank J. Briguglio | Protiviti Government Solutions -----Original Message----- From: Justin Pittman [mailto:jpitt...@likewise.com] Sent: Tuesday, April 28, 2009 3:08 PM To: Briguglio, Frank (10421) Cc: likewise-open-discuss@lists.likewisesoftware.com Subject: RE: [Likewise-open-discuss] SUDO Access Likewise Enterprise has the same functionality as Open for name services. The users or groups defined in a sudoers file will be resolved to a UID/GID, and Likewise is defined to resolve usernames and groupnames via AD if they are not found locally. (This is the 'passwd files lsass' entry in nsswitch.conf, and its group counterpart.) For groups an enumeration of its members also happens, and Likewise can return the members' UIDs from AD. As far as AD problems and local administrative backdoors, even if a Likewise client's connectivity to DCs/DNS collaspes, caching is enabled by default. Locally cached IDs would allow sudo to continue to function. Justin -----Original Message----- From: likewise-open-discuss-boun...@lists.likewisesoftware.com [mailto:likewise-open-discuss-boun...@lists.likewisesoftware.com] On Behalf Of Briguglio, Frank (10421) Sent: Tuesday, April 28, 2009 10:39 AM To: likewise-open-discuss@lists.likewisesoftware.com Subject: Re: [Likewise-open-discuss] SUDO Access Good point. I did see where I could use a combination of an AD group and the sudoers file. Is anyone trying this approach, seems to be the best approach. -- Frank J. Briguglio | Protiviti Government Solutions ________________________________ From: Alan Hatch [mailto:aha...@dollargeneral.com] Sent: Tuesday, April 28, 2009 10:34 AM To: Briguglio, Frank (10421); likewise-open-discuss@lists.likewisesoftware.com Subject: RE: SUDO Access Frank, To add to what has already been offered, you can also set your admins up in a local group and use that group to control access via the sudoers file if you want more granular access (that is how we manage developer accounts). Please be aware, however, that your Linux admins won't be able to do their job if you have AD issues (we maintain local accounts for all administrators). ________________________________ From: likewise-open-discuss-boun...@lists.likewisesoftware.com [mailto:likewise-open-discuss-boun...@lists.likewisesoftware.com] On Behalf Of Briguglio, Frank (10421) Sent: Tuesday, April 28, 2009 9:07 AM To: likewise-open-discuss@lists.likewisesoftware.com Subject: [Likewise-open-discuss] SUDO Access I would like to have linux admins login with AD credentials and then sudo to perform advanced administrative tasks. With Likewise Open can I configure this without modifying the sudoers file? What about Likewise Enterprise? Thanks in advance. _____________________________________________________________________ Likewise-open-discuss mailing list Likewise-open-discuss@lists.likewisesoftware.com Found a bug? Please file a report: http://lobugs.likewise.com/ Looking for other discussion options? Try our forums: http://www.likewise.com/community/index.php/forums/ _____________________________________________________________________ Likewise-open-discuss mailing list Likewise-open-discuss@lists.likewisesoftware.com Found a bug? Please file a report: http://lobugs.likewise.com/ Looking for other discussion options? Try our forums: http://www.likewise.com/community/index.php/forums/ _____________________________________________________________________ Likewise-open-discuss mailing list Likewise-open-discuss@lists.likewisesoftware.com Found a bug? Please file a report: http://lobugs.likewise.com/ Looking for other discussion options? Try our forums: http://www.likewise.com/community/index.php/forums/