Menu
▾
▴
Re: [webmin-l] Likewise-open AD authentication for Webmin -Ubuntu10.04
|
From: Jamie C. <jca...@we...> - 2010-07-10 23:39:51
|
Ok, that would explain it. Webmin uses that sudo command to check if a user is allowed to run all commands via sudo, and only allows logins by those that can. If you can't get this worked out, there are other authentication options available in webmin. You can instead allow all members of a particular group to login with root permissions - this can be setup in the Webmin Users module. - Jamie On Jul 10, 2010, at 9:30 PM, Attila Gömbös <att...@gm...> wrote: > Thanks, the problem will be here: > -- > MH\agombos@mhlnx:~$ sudo -l -S > Matching Defaults entries for MH\agombos on this host: > env_reset > > User MH\agombos may run the following commands on this host: > sudo: unable to cache group mh\domain^admins, already exists > -- > > The bug is described here: > https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/548893 > > I've contacted them for further investigations. Thanks for your help. > > Attila > > Really strange thing is about the whole thing, that with "sudo -i" > through SSH users can get root privileges despite the error message > above. > I will contact Ubuntu developers about the patches. > > > On Sat, Jul 10, 2010 at 2:37 PM, Jamie Cameron <jca...@we...> > wrote: >> Ok, that looks fine .. >> >> If you su to this user and run : >> >> sudo -l -S >> >> what does it output? Webmin expects something like : >> >> (ALL) ALL >> >> On 10/Jul/2010 04:52 Attila Gömbös <att...@gm...> wrote >> .. >>> Hello Jamie! >>> >>> The username is simply just domain\user. In the pam_sm_authenticate >>> line every username is put in [ ] characters. >>> With domain\user certainly I can sudo. >>> >>> Attila >>> >>> >>> On Sat, Jul 10, 2010 at 1:23 AM, Jamie Cameron >>> <jca...@we...> wrote: >>>> On 09/Jul/2010 05:02 Attila Gömbös <att...@gm...> >>>> wrote .. >>>>> Hello! >>>>> >>>>> I'd like to enable my Windows Domain Administrators group to login >>>>> through Webmin. >>>>> I'm using the Ubuntu 10.04 provided likewise-open package. >>>>> Members of >>>>> Domain administrators group are able to authenticate through ssh >>>>> and >>>>> to get root privileges through sudo. >>>>> So /etc/sudoers looks like this: >>>>> >>>>> %DOMAIN\\domain^admins ALL=(ALL) ALL >>>>> >>>>> In Webmin I've also enabled this feature: "Allow users who can >>>>> run all >>>>> commands via sudo to login as root" >>>>> >>>>> >>>>> However I can't login through Webmin interface. /var/log/ >>>>> auth.log states these: >>>>> >>>>> Jul 7 13:30:42 lnx01 perl[2910]: pam_sm_authenticate: Called >>>>> Jul 7 13:30:42 lnx01 perl[2910]: pam_sm_authenticate: username >>>>> = [DOMAIN\user] >>>>> >>>>> Jul 7 13:30:42 lnx01 perl[2910]: pam_unix(webmin:session): >>>>> session >>>>> opened for user DOMAIN\user by (uid=0) >>>>> Jul 7 13:30:42 lnx01 sudo: DOMAIN\user: TTY=pts/1 ; >>>>> PWD=/usr/share/webmin ; USER=root ; COMMAND=list >>>>> Jul 7 13:30:42 lnx01 webmin[2910]: Invalid login as domain\user >>>>> from 10.2.1.16 >>>>> >>>>> >>>>> I've also found this thread: >>>>> http://copilotco.com/mail-archives/webmin.2008/msg00719.html >>>>> But if I copy /etc/pam.d/sshd to /etc/pam.d/webmin nothing >>>>> changes. >>>>> >>>>> >>>>> /etc/pam.d/webmin currently looks like this: >>>>> #%PAM-1.0 >>>>> @include common-auth >>>>> @include common-account >>>>> @include common-password >>>>> @include common-session >>>>> >>>>> Thanks for any advices. >>>>> >>>>> Attila >>>> >>>> Hi Attila, >>>> >>>> It sounds like Webmin is having trouble determining that the user >>>> you >>>> are logging is as can sudo. What is the actual full username you >>>> are entering >>> .. >>>> it is really like "[DOMAIN\user]" with the [ ] characters? >>>> >>>> Also, can you SSH in as a user like this, or switch to this user >>>> with a command >>>> like : su "[DOMAIN\user]" >>>> >>>> - Jamie >>>> >>>> --- >>>> --- >>>> --- >>>> --- >>>> ------------------------------------------------------------------ >>>> This SF.net email is sponsored by Sprint >>>> What will you do first with EVO, the first 4G phone? >>>> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >>>> - >>>> Forwarded by the Webmin mailing list at web...@li... >>>> To remove yourself from this list, go to >>>> http://lists.sourceforge.net/lists/listinfo/webadmin-list >>>> >>>> >>> >>> --- >>> --- >>> --- >>> --- >>> ------------------------------------------------------------------ >>> This SF.net email is sponsored by Sprint >>> What will you do first with EVO, the first 4G phone? >>> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >>> - >>> Forwarded by the Webmin mailing list at web...@li... >>> To remove yourself from this list, go to >>> http://lists.sourceforge.net/lists/listinfo/webadmin-list >> >> --- >> --- >> --- >> --------------------------------------------------------------------- >> This SF.net email is sponsored by Sprint >> What will you do first with EVO, the first 4G phone? >> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >> - >> Forwarded by the Webmin mailing list at web...@li... >> To remove yourself from this list, go to >> http://lists.sourceforge.net/lists/listinfo/webadmin-list >> >> > > --- > --- > --- > --------------------------------------------------------------------- > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > - > Forwarded by the Webmin mailing list at web...@li... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list |