15

I inherited a Linux server; the previous administrator is no longer with our company. I can log in to the server via SSH with my company-wide Microsoft Directory administration user, and it works perfectly. I have sudo privileges. But I can't figure out why. This is my nsswitch.conf:

# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat ldap group: compat ldap shadow: compat ldap gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis

I would have expected to see myself with my user in the getent passwd command, but that's not the case:

myadminaccount@SERVER-NAME:~$ getent passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:104:110::/nonexistent:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin administrator:x:1000:1000:administrator,,,:/home/administrator:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin _rpc:x:106:65534::/run/rpcbind:/usr/sbin/nologin mik:x:998:1001:OMD site mik:/omd/sites/mik:/bin/bash Debian-exim:x:107:114::/var/spool/exim4:/usr/sbin/nologin myadminaccount@SERVER-NAME:~$

The user seems to be known but the group not:

myadminaccount@SERVER-NAME:~$ ls -l | head -n4 insgesamt 384 -rw-r--r-- 1 myadminaccount 5001 11854 6. Feb 2023 update_2022-02-06.log -rw-r--r-- 1 myadminaccount 5001 46374 7. Nov 2022 update_2022-11-07.log -rw-r--r-- 1 myadminaccount 5001 8192 6. Mär 2023 update_2023-03-06.log myadminaccount@SERVER-NAME:~$ ls -ln | head -n4 insgesamt 384 -rw-r--r-- 1 2173 5001 11854 6. Feb 2023 update_2022-02-06.log -rw-r--r-- 1 2173 5001 46374 7. Nov 2022 update_2022-11-07.log -rw-r--r-- 1 2173 5001 8192 6. Mär 2023 update_2023-03-06.log

At a minimum, the hostname of the Active Directory server, a password or key for the connection, and the information that my user has sudo privileges should be configured somewhere on the server. But where? And why isn't my username listed in getent passwd? Where should I read and look to find out more?

The server is SMP Debian 5.10.226-1 (2024-10-03) x86_64.

Improve this question
2
  • 1
    In AWS one can provision a server such that access and sudo access are coupled to membership in Active Directory groups. And that would be managed by an SDP such as AppGate. Your account might not have a password. Commented Apr 8 at 0:35
  • 1
    Might need to go on a documentation deep dive, write up a bunch of stuff like this. Commented Apr 8 at 1:17

2 Answers 2

Reset to default
29

At a minimum, the hostname of the Active Directory server, a password or key for the connection, and the information that my user has sudo privileges should be configured somewhere on the server. But where?

The ldap nsswitch module.

This probably means the nslcd daemon (aka nss-pam-ldapd), configured via /etc/nslcd.conf – not the first choice for AD1 but it still does the job. Find the file libnss_ldap.so.2 (sorry, I don't recall offhand where Debian puts them) and run dpkg -S on it to determine the owner package.

Password authentication is generally not handled via nsswitch – despite the 'ldap' module being listed in the 'shadow' row, you will rarely if ever find shadow password entries in LDAP. Instead, a dedicated PAM module in /etc/pam.d/* performs network authentication in a more direct way.

Since you have nslcd for nsswitch, you probably also have either the standalone pam_krb5 for authentication, or possibly the same pam_ldap from nslcd.

1 (More common options for AD integration would be sss SSSD or winbind Samba Winbind, which would additionally handle logon through Kerberos for SSO; they come with both an nsswitch module and a PAM module.)

a password or key for the connection,

If nslcd is in use, then the machine credentials will likely have been deployed manually. In a proper AD-style setup, this would be /etc/krb5.keytab storing the Kerberos credentials for the machine account (klist -k to view).

But proper Kerberos usage with nslcd is a little fiddly to set up (and my patches to improve it have had no reaction from the developer), so it's more likely that you'll find a plain-text binddn and bindpw in the /etc/nslcd.conf.

If you're lucky, the previous admin will have manually set up per-machine accounts there. If you're really (un)lucky, the previous admin might have just deployed their Domain Admin credentials to all servers... (Which would have worked, because nslcd doesn't perform any AD-specific "Netlogon" RPC calls – it acts as a basic LDAP client, which only needs user-level credentials and does not require a "workstation trust relationship" as Windows calls it – but is certainly not what you want to find all over the place.)

[For future reference] A proper AD "domain join" should always have a dedicated computer account for each machine, its credentials stored either in krb5.keytab for SSSD/nslcd or in secrets.tdb for Winbind. Either of those could be provisioned using the realmd tool, although more direct adcli for SSSD or net join for Samba can also be used.

the information that my user has sudo privileges

While technically possible to store this in AD (sudo has both direct LDAP support and SSSD support), your nsswitch.conf does not have a 'sudo' row, therefore it's most likely that everything is configured through the regular /etc/sudoers (plus /etc/sudoers.d/*).

You can use sudo -ll to see which sudoers rules apply to you and where they come from.

The privileges might have been granted to an AD group by name, or your account might have been added to a local 'wheel' or 'sudoers' group (local groups can have non-local members).

[For reference] If I remember correctly, SSSD can also generate sudoers rules from Windows Group Policy.

And why isn't my username listed in getent passwd?

It is not uncommon for Active Directory integration to be set up as non-enumerable, both for performance (to help programs which foolishly insist on listing 1000s of accounts when they could've done a single getpwnam lookup) and for security/privacy.

In your case, enumeration might have been disabled client-side as part of nslcd.conf, and/or achieved through AD-side access control lists (think chmod 0711 but for LDAP OUs).

You could use ldapsearch or Apache Directory Studio to check what you're able to see directly. (Note that ldapsearch has a separate "defaults" file and does not share configuration with nslcd, so you may need to manually tell it about the URL.)

Improve this answer
4
  • 4
    oh nicer than my answer, honestly! Commented Apr 7 at 10:44
  • Last paragraph: Apache Directory Studio? Commented Apr 9 at 3:31
  • 1
    @RonJohn: Yes, Apache Directory Studio – from the same Apache Software Foundation as Apache HTTP Server, Apache Tomcat, Apache Hadoop, Apache Cassandra, and Apache fifty other things. Commented Apr 9 at 3:58
  • @grawity "Apache 382 other things" to be exact! Commented Apr 9 at 14:24
13

You have ldap authentication enabled on your system, so that answers how you are able to log in. There's a central LDAP server against which you're authenticated. That's typical for an AD setup.

At a minimum, the hostname of the Active Directory server, a password or key for the connection, and the information that my user has sudo privileges should be configured somewhere on the server.

Let's go through this one by one:

hostname of the Active Directory server

Agreed, somehow your computer needs to know which LDAP server to ask. /etc/ldap.conf and /etc/openldap/ldap.conf is where the LDAP client looks by default.

a password or key for the connection

Depends on how you establish the connection/trust. In an AD, that might be kerberos configuration.

information that my user has sudo privileges

I'm guessing that is solved implicitly via group memberships.

You're not being listed by getent because that would require enumerating the LDAP directory, and a) that might be huge and b) that's something that might (very reasonably) be forbidden.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.