AD user can't sudo

Status
Not open for further replies.

jg3

Dabbler
Joined
May 17, 2017
Messages
20
Hello,

Problem: My AD shell account password always fails when using sudo.

I have AD auth to my Windows 2012 server working fine, and no other (known) (FreeNAS) problems. I can SSH using my AD password. In trying to follow the tutorial on how to set up a jail I have to run a command like jexec 1 tcsh but my domain user doesn't have permission for that. Enter sudo.

Code:
$ sudo jexec 1 tcsh

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

	#1) Respect the privacy of others.
	#2) Think before you type.
	#3) With great power comes great responsibility.

Password:
Sorry, try again.
Password:
...


Putting in my AD password (correctly) gets repeatedly rejected. What gives?


Notes and context:

Code:
jg3@lappy$ ssh jg@fn
jg@fn's password:
Last login: Thu Feb  1 11:36:34 2018 from 10.39.0.230
FreeBSD 11.1-STABLE (FreeNAS.amd64) #0 r321665+4bd3ee42941(freenas/11.1-stable): Thu Jan 18 15:45:01 UTC 2018
...

I can log in using my AD password.



Code:
$ id
uid=21109(jg) gid=20513(domain users) groups=20513(domain users),21109(jg),21117(allowed rdp),21129(sudoers),90000005(BUILTIN\users)
$
I'm in the sudoers group



Code:
$ sudo -l
Matching Defaults entries for jg on fn:
	syslog_goodpri=debug, secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin\:/usr/local/sbin\:/usr/local/bin

User jg may run the following commands on fn:
	(ALL) NOPASSWD: /etc/find_alias_for_smtplib.py
	(ALL : ALL) ALL

sudo lists me as someone who should be able to execute all commands.



Code:
$
$ wbinfo -u
administrator
guest
krbtgt
curly
jg
larry
moe
freenas-user
fn

domain users

Code:
$ wbinfo -g
winrmremotewmiusers__
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
cloneable domain controllers
protected users
dnsadmins
dnsupdateproxy
dhcp users
dhcp administrators
allowed rdp
sudoers

domain groups


Code:
$ wbinfo -t
checking the trust secret for domain SIX via RPC calls failed
failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not check secret
$

I think this is because my AD configuration is unencrypted?
 

jg3

Dabbler
Joined
May 17, 2017
Messages
20
Hi m0nkey_ , Thanks for the reply.

I believe that's because your /usr/local/etc/sudoers file will have the line:
Code:
%wheel		 ALL=(ALL:ALL) ALL

in it, which translates to "let users in the wheel group execute any command via sudo"

My sudoers file has a similar line to allow anyone in the "sudoers" group to execute anything. That's what sudo -l shows. For extra fun, you can specify the -l (el) option multiple times:

Code:
$ sudo -ll
Matching Defaults entries for jg on fn:
	syslog_goodpri=debug, secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin\:/usr/local/sbin\:/usr/local/bin

User jg may run the following commands on fn:

Sudoers entry:
	RunAsUsers: ALL
	Options: !authenticate
	Commands:
   /etc/find_alias_for_smtplib.py

Sudoers entry:
	RunAsUsers: ALL
	RunAsGroups: ALL
	Commands:
   ALL
$


I think my question boils down to: why is sudo is not properly authenticating my AD account / password but sshd is?
 

jg3

Dabbler
Joined
May 17, 2017
Messages
20
This is what shows up in the system log:
Code:
Feb  3 09:31:09 10.39.6.99 Feb  3 09:31:09 fn sudo:	   jg : 3 incorrect password attempts ; TTY=pts/5 ; PWD=/mnt/Vol_2X8T/Server/HOMES/SIX/jg ; USER=root ; COMMAND=/usr/sbin/jexec 2 tcsh
Feb  3 09:31:09 10.39.6.99 Feb  3 09:31:09 fn sudo:	   jg : 3 incorrect password attempts ; TTY=pts/5 ; PWD=/mnt/Vol_2X8T/Server/HOMES/SIX/jg ; USER=root ; COMMAND=/usr/sbin/jexec 2 tcsh


So clearly sudo isn't doing the auth thing right, right?
 
Status
Not open for further replies.
Top