sudoer: AD domain group in sudoer file won´t work

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












0















My server is joined to AD domain, and I used SSSD and realm to do so. I can log fine to the server using SSH and my AD credentials.
I wanted to allow my user to run sudo, so I added %MY_AD_GROUP ALL=(ALL) ALL to my /etc/sudoers. It won´t work. I then tried to add my domain like all of these:



%MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
%MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
%:MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
+MY_AD_GROUP ALL=(ALL) ALL
+MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
+MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL


and none of them worked either.
If I run id:



$ id
uid=1953620811(my_user) gid=1953600513(domain users) groups=1953600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


it shows my user is indeed an AD user.



Something worth mentioning:
I first check a group I´m a member of in AD:



$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4


so, my_user is a member of MY_AD_GROUP, then I add it to /etc/sudoers (via visudo) and try to run:



$ sudo echo a
[sudo] password for my_user:
my_user is not in the sudoers file. This incident will be reported.


I then check again MY_AD_GROUP:



$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,user3,user4


and my user disappeared from the list (but I know it is still a member of the AD group). And, as soon as I run $ sss_cache -E and run:



$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4


the user show up again, although sudo won´t work.
So, what is going on???










share|improve this question
























  • I'm tempted to remove the sudo tag, since it seems (to me) that the core issue is that you're getting sporadic behavior with getent group MY_AD_GROUP.

    – Jeff Schaller
    Mar 1 at 15:06











  • @JeffSchaller it could be the case, since I´m under the impression the same is happening to SSH AllowGroups directive, although I have to confirm.

    – Adriano_epifas
    Mar 1 at 15:14















0















My server is joined to AD domain, and I used SSSD and realm to do so. I can log fine to the server using SSH and my AD credentials.
I wanted to allow my user to run sudo, so I added %MY_AD_GROUP ALL=(ALL) ALL to my /etc/sudoers. It won´t work. I then tried to add my domain like all of these:



%MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
%MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
%:MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
+MY_AD_GROUP ALL=(ALL) ALL
+MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
+MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL


and none of them worked either.
If I run id:



$ id
uid=1953620811(my_user) gid=1953600513(domain users) groups=1953600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


it shows my user is indeed an AD user.



Something worth mentioning:
I first check a group I´m a member of in AD:



$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4


so, my_user is a member of MY_AD_GROUP, then I add it to /etc/sudoers (via visudo) and try to run:



$ sudo echo a
[sudo] password for my_user:
my_user is not in the sudoers file. This incident will be reported.


I then check again MY_AD_GROUP:



$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,user3,user4


and my user disappeared from the list (but I know it is still a member of the AD group). And, as soon as I run $ sss_cache -E and run:



$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4


the user show up again, although sudo won´t work.
So, what is going on???










share|improve this question
























  • I'm tempted to remove the sudo tag, since it seems (to me) that the core issue is that you're getting sporadic behavior with getent group MY_AD_GROUP.

    – Jeff Schaller
    Mar 1 at 15:06











  • @JeffSchaller it could be the case, since I´m under the impression the same is happening to SSH AllowGroups directive, although I have to confirm.

    – Adriano_epifas
    Mar 1 at 15:14













0












0








0








My server is joined to AD domain, and I used SSSD and realm to do so. I can log fine to the server using SSH and my AD credentials.
I wanted to allow my user to run sudo, so I added %MY_AD_GROUP ALL=(ALL) ALL to my /etc/sudoers. It won´t work. I then tried to add my domain like all of these:



%MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
%MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
%:MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
+MY_AD_GROUP ALL=(ALL) ALL
+MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
+MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL


and none of them worked either.
If I run id:



$ id
uid=1953620811(my_user) gid=1953600513(domain users) groups=1953600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


it shows my user is indeed an AD user.



Something worth mentioning:
I first check a group I´m a member of in AD:



$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4


so, my_user is a member of MY_AD_GROUP, then I add it to /etc/sudoers (via visudo) and try to run:



$ sudo echo a
[sudo] password for my_user:
my_user is not in the sudoers file. This incident will be reported.


I then check again MY_AD_GROUP:



$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,user3,user4


and my user disappeared from the list (but I know it is still a member of the AD group). And, as soon as I run $ sss_cache -E and run:



$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4


the user show up again, although sudo won´t work.
So, what is going on???










share|improve this question
















My server is joined to AD domain, and I used SSSD and realm to do so. I can log fine to the server using SSH and my AD credentials.
I wanted to allow my user to run sudo, so I added %MY_AD_GROUP ALL=(ALL) ALL to my /etc/sudoers. It won´t work. I then tried to add my domain like all of these:



%MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
%MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
%:MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
+MY_AD_GROUP ALL=(ALL) ALL
+MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
+MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL


and none of them worked either.
If I run id:



$ id
uid=1953620811(my_user) gid=1953600513(domain users) groups=1953600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


it shows my user is indeed an AD user.



Something worth mentioning:
I first check a group I´m a member of in AD:



$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4


so, my_user is a member of MY_AD_GROUP, then I add it to /etc/sudoers (via visudo) and try to run:



$ sudo echo a
[sudo] password for my_user:
my_user is not in the sudoers file. This incident will be reported.


I then check again MY_AD_GROUP:



$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,user3,user4


and my user disappeared from the list (but I know it is still a member of the AD group). And, as soon as I run $ sss_cache -E and run:



$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4


the user show up again, although sudo won´t work.
So, what is going on???







linux active-directory sssd






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 1 at 15:14







Adriano_epifas

















asked Mar 1 at 13:16









Adriano_epifasAdriano_epifas

83




83












  • I'm tempted to remove the sudo tag, since it seems (to me) that the core issue is that you're getting sporadic behavior with getent group MY_AD_GROUP.

    – Jeff Schaller
    Mar 1 at 15:06











  • @JeffSchaller it could be the case, since I´m under the impression the same is happening to SSH AllowGroups directive, although I have to confirm.

    – Adriano_epifas
    Mar 1 at 15:14

















  • I'm tempted to remove the sudo tag, since it seems (to me) that the core issue is that you're getting sporadic behavior with getent group MY_AD_GROUP.

    – Jeff Schaller
    Mar 1 at 15:06











  • @JeffSchaller it could be the case, since I´m under the impression the same is happening to SSH AllowGroups directive, although I have to confirm.

    – Adriano_epifas
    Mar 1 at 15:14
















I'm tempted to remove the sudo tag, since it seems (to me) that the core issue is that you're getting sporadic behavior with getent group MY_AD_GROUP.

– Jeff Schaller
Mar 1 at 15:06





I'm tempted to remove the sudo tag, since it seems (to me) that the core issue is that you're getting sporadic behavior with getent group MY_AD_GROUP.

– Jeff Schaller
Mar 1 at 15:06













@JeffSchaller it could be the case, since I´m under the impression the same is happening to SSH AllowGroups directive, although I have to confirm.

– Adriano_epifas
Mar 1 at 15:14





@JeffSchaller it could be the case, since I´m under the impression the same is happening to SSH AllowGroups directive, although I have to confirm.

– Adriano_epifas
Mar 1 at 15:14










0






active

oldest

votes












Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503781%2fsudoer-ad-domain-group-in-sudoer-file-won%25c2%25b4t-work%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503781%2fsudoer-ad-domain-group-in-sudoer-file-won%25c2%25b4t-work%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?