Suppose I have a corporate domain mydomain using MS Active Directory.In the domain I have the users myuser and youruser.Now, on one specific Ubuntu machine mymachine, myuser has sudo rights, and does sudo su youruser (or sudo -u youruser sh). Since myuser has the necessary sudoers config, he does not need to enter youruser's password, and will effectively become youruser on that machine.
What kind of
youruserprivileges willmyuserhave at this point? Obviously, ifyouruseralso has a home directory on the machine,myusercan now access it and read his private local files. But what will happen if trying to access a network domain resource using kerberos, samba etc? I guess since he has never enteredyouruser's password he is not authenticated as a domain user, does not have a kerberos ticket etc. So if there's a network service that checks group memberships for his user id, will that also fail? How does this work? Is he considered to be a different user, say,mymachine\\youruseras opposed tomydomain\\youruser?Suppose there's a web service running as a daemon on the machine, using a dedicated domain user
myserviceuser. If this web service needs to access network resources, i.e., authenticate with Kerberos, how should the daemon be set up, for example from an upstart script? Normally you start it using something likesudo -u myserviceuser <cmd>, but given the above assumptions, will this grant the web service any rights to access network resources? Shouldn't the password for this user have to be entered somewhere?
