Sudo 1.7.4 and AD groups

Robert Archer archerra at
Wed Jan 12 06:34:38 UTC 2011

Hi FreeBSD Folks,

I'm using Samba 3.5.6 to authenticate logins and manage access on FreeBSD 8.1.

With Sudo 1.7.2, I was able to use Active Directory groups in sudoers(5), but
this doesn't seem to work in 1.7.4.


  $ uname -a
  FreeBSD 8.1-RELEASE-p2 FreeBSD 8.1-RELEASE-p2 #0: Tue Jan 11 06:03:08 CST 2011     root at  amd64
  $ sudo -V
  Sudo version 1.7.4p4
  $ winbindd -V
  Version 3.5.6


  group:          files winbind
  hosts:          files dns
  networks:       files
  passwd:         files winbind
  protocols:      files
  rpc:            files
  services:       files
  shells:         files


  auth            sufficient      /usr/local/lib/   try_first_pass
  auth            include         system
  account         include         system
  session         required
  password        include         system


  Defaults                env_keep        += "EDITOR FTP_PASSIVE_MODE HOME PAGER"
  Defaults                insults
  Defaults                shell_noargs
  Defaults                syslog          = auth
  Defaults                !tty_tickets
  root                    ALL             = (ALL) ALL
  %wheel                  ALL             = (ALL) ALL
  %cis-sambagroupname     ALL             = (ALL) ALL

Using version 1.7.2:

  $ /mnt/usr/local/bin/sudo -V
  Sudo version 1.7.2p6
  $ /mnt/usr/local/bin/sudo -l
  Matching Defaults entries for cis-username on this host:
      env_keep+="EDITOR FTP_PASSIVE_MODE HOME PAGER", insults, shell_noargs, syslog=auth, !tty_tickets

  User cis-username may run the following commands on this host:
      (ALL) ALL

Using version 1.7.4:

  $ sudo -V
  Sudo version 1.7.4p4
  $ sudo -l
  Sorry, user cis-username may not run sudo on cis-mvl.

The group looks correct:

  $ getent group cis-sambagroupname 

And if I add my username to sudoers(5), it works fine.

Any suggestions?


More information about the freebsd-questions mailing list