Privileges when doing sudo to another domain user

Suppose I have a corporate domain mydomain using MS Active Directory. In the domain I have the users myuser and youruser. Now, on one specific Ubuntu machine mymachine, myuser has sudo rights, and does sudo su youruser (or sudo -u youruser sh). Since myuser has the necessary sudoers config, he does not need to enter youruser's password, and will effectively become youruser on that machine.

  1. What kind of youruser privileges will myuser have at this point? Obviously, if youruser also has a home directory on the machine, myuser can now access it and read his private local files. But what will happen if trying to access a network domain resource using kerberos, samba etc? I guess since he has never entered youruser's password he is not authenticated as a domain user, does not have a kerberos ticket etc. So if there's a network service that checks group memberships for his user id, will that also fail? How does this work? Is he considered to be a different user, say, mymachine\\youruser as opposed to mydomain\\youruser?

  2. Suppose there's a web service running as a daemon on the machine, using a dedicated domain user myserviceuser. If this web service needs to access network resources, i.e., authenticate with Kerberos, how should the daemon be set up, for example from an upstart script? Normally you start it using something like sudo -u myserviceuser <cmd>, but given the above assumptions, will this grant the web service any rights to access network resources? Shouldn't the password for this user have to be entered somewhere?


There's not nearly enough clear documentation on this stuff IMO.

  1. You are right - if a service is protected by kerberos then su/sudo is not sufficient to bypass the necessary authorisation (UNLESS the target user has a cached ticket because they are currently logged on, or a keytab). Most resources (eg local filesystem) rely on uidnumber and gidnumber to identify a user, and can be bypassed by root/sudo access

  2. This is a fun one that i an dealing with presently at work. Say a service account apache needs to access a kerberised NFS share. You need to export a keytab for apache to the local filesystem and source that when the service starts, periodically renewing its ticket via perhaps cron. RHEL7 has gssproxy, which appears to simplify this but i haven't got to that point yet.

A keytab is effectively a saved credential. If someone can access it, they can masquerade as that user. Exporting a new keytab in IPA and AD changes the account's password.

Microsoft kerberos is slightly different but most rules still apply.