2

I just installed a brand new VM with Debian 10 (buster) and joined it to our active directory using pbis.

what I encountered now is, that:

  • as the root user, I can su to every other available user in our AD WITHOUT being asked for a password
  • as a normal user I can only su to other users if I have the correct password and type it in

In previous versions of Debian (like 9) it was not possible do do that.

What I did to join the AD:

apt install gnupg -y wget -O - http://repo.pbis.beyondtrust.com/apt/RPM-GPG-KEY-pbis | apt-key add wget -O /etc/apt/sources.list.d/pbiso.list http://repo.pbis.beyondtrust.com/apt/pbiso.list apt-get update apt-get install pbis-open -y pbis join full.domain.name.de $ADMINUSER $ADMINPW pbis set-default-domain full.domain.name.de /opt/pbis/bin/config UserDomainPrefix PREFIX /opt/pbis/bin/config AssumeDefaultDomain true /opt/pbis/bin/config LoginShellTemplate "/bin/bash" /opt/pbis/bin/config RequireMembershipOf "PREFIX\\admingoup" "PREFIX\\${HOST}-admin" "PREFIX\\${HOST}-user" /opt/pbis/bin/config HomeDirTemplate "%H/%U" sed -i '23a%admingroup ALL=(ALL) ALL' /etc/sudoers sed -i '23a%'${HOST}'-admin ALL=(ALL) ALL' /etc/sudoers

so the other settings are basically standard. This is driving me crazy and I can't find out where to look what has changed since Debian 9 to the su command.

edit: so basically I become root with sudo suand then go for su other.user and it just works without a password prompt.

If I'm a non root user e.g. "normal.user" and go for su other.user it asks for the password and only lets me do it if I type in the correct one.

Improve this question
2
  • Are you in the admingroup? Commented Dec 4, 2019 at 14:25
  • @AndyDalton yes, but this should not affect anything, because the problem only occurs when I'm aleady root and try to su to another user - NOT when I'm logged in as a normal admin that has the right to become root, but isn't at the time I try to use su other.user - so admin.user@vmname: su other.usergives me the password prompt for other.user, root@vmname: su other.userdoesnt and just continues to other.user@vmname: Commented Dec 4, 2019 at 14:57

1 Answer 1

Reset to default
4

I can't find out where to look what has changed since Debian 9 to the su command.

You look at packages.debian.org.

There are differences caused by this switch. "debian su - and su $PATH differences?" shows one such difference. "su vs su - (on Debian): why is PATH the same?" is a question here whose answers have been invalidated by the change.

There were also several problems as a consequence, including that initially the util-linux package did not install the right PAM configurations for su. The NEWS file for util-linux also mentions that the util-linux su has multiple PAM configurations, not just one. Your BeyondTrust package installs PAM stuff in Debian. Check that it is interoperable with the different su that Debian is now providing.

Further reading

Improve this answer
1
  • thank you! nevertheless, I found out, that also debian 9 has these "issues" - Well, maybe the root power just explains it all: "With great power comes great responsibility". Commented Dec 6, 2019 at 13:27

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.