sudoer: AD domain group in sudoer file won´t work

My server is joined to AD domain, and I used SSSD and realm to do so. I can log fine to the server using SSH and my AD credentials.
I wanted to allow my user to run sudo, so I added %MY_AD_GROUP ALL=(ALL) ALL to my /etc/sudoers. It won´t work. I then tried to add my domain like all of these:

%MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
%MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
%:MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
+MY_AD_GROUP ALL=(ALL) ALL
+MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
+MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL

and none of them worked either.
If I run id:

$ id
uid=1953620811(my_user) gid=1953600513(domain users) groups=1953600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

it shows my user is indeed an AD user.

Something worth mentioning:
I first check a group I´m a member of in AD:

$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4

so, my_user is a member of MY_AD_GROUP, then I add it to /etc/sudoers (via visudo) and try to run:

$ sudo echo a
[sudo] password for my_user:
my_user is not in the sudoers file. This incident will be reported.

I then check again MY_AD_GROUP:

$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,user3,user4

and my user disappeared from the list (but I know it is still a member of the AD group). And, as soon as I run $ sss_cache -E and run:

$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4

the user show up again, although sudo won´t work.
So, what is going on???

edited Mar 1 at 15:14

asked Mar 1 at 13:16

Adriano_epifas

I'm tempted to remove the sudo tag, since it seems (to me) that the core issue is that you're getting sporadic behavior with getent group MY_AD_GROUP.

– Jeff Schaller♦
Mar 1 at 15:06

@JeffSchaller it could be the case, since I´m under the impression the same is happening to SSH AllowGroups directive, although I have to confirm.

– Adriano_epifas
Mar 1 at 15:14

add a comment |

%MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
%MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
%:MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
+MY_AD_GROUP ALL=(ALL) ALL
+MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
+MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL

and none of them worked either.
If I run id:

$ id
uid=1953620811(my_user) gid=1953600513(domain users) groups=1953600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

it shows my user is indeed an AD user.

Something worth mentioning:
I first check a group I´m a member of in AD:

$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4

so, my_user is a member of MY_AD_GROUP, then I add it to /etc/sudoers (via visudo) and try to run:

$ sudo echo a
[sudo] password for my_user:
my_user is not in the sudoers file. This incident will be reported.

I then check again MY_AD_GROUP:

$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,user3,user4

and my user disappeared from the list (but I know it is still a member of the AD group). And, as soon as I run $ sss_cache -E and run:

$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4

the user show up again, although sudo won´t work.
So, what is going on???

edited Mar 1 at 15:14

asked Mar 1 at 13:16

Adriano_epifas

I'm tempted to remove the sudo tag, since it seems (to me) that the core issue is that you're getting sporadic behavior with getent group MY_AD_GROUP.

– Jeff Schaller♦
Mar 1 at 15:06

@JeffSchaller it could be the case, since I´m under the impression the same is happening to SSH AllowGroups directive, although I have to confirm.

– Adriano_epifas
Mar 1 at 15:14

add a comment |

%MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
%MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
%:MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
+MY_AD_GROUP ALL=(ALL) ALL
+MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
+MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL

and none of them worked either.
If I run id:

$ id
uid=1953620811(my_user) gid=1953600513(domain users) groups=1953600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

it shows my user is indeed an AD user.

Something worth mentioning:
I first check a group I´m a member of in AD:

$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4

so, my_user is a member of MY_AD_GROUP, then I add it to /etc/sudoers (via visudo) and try to run:

$ sudo echo a
[sudo] password for my_user:
my_user is not in the sudoers file. This incident will be reported.

I then check again MY_AD_GROUP:

$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,user3,user4

and my user disappeared from the list (but I know it is still a member of the AD group). And, as soon as I run $ sss_cache -E and run:

$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4

the user show up again, although sudo won´t work.
So, what is going on???

edited Mar 1 at 15:14

asked Mar 1 at 13:16

Adriano_epifas

%MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
%MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
%:MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
+MY_AD_GROUP ALL=(ALL) ALL
+MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
+MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL

and none of them worked either.
If I run id:

$ id
uid=1953620811(my_user) gid=1953600513(domain users) groups=1953600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

it shows my user is indeed an AD user.

Something worth mentioning:
I first check a group I´m a member of in AD:

$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4

so, my_user is a member of MY_AD_GROUP, then I add it to /etc/sudoers (via visudo) and try to run:

$ sudo echo a
[sudo] password for my_user:
my_user is not in the sudoers file. This incident will be reported.

I then check again MY_AD_GROUP:

$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,user3,user4

and my user disappeared from the list (but I know it is still a member of the AD group). And, as soon as I run $ sss_cache -E and run:

$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4

the user show up again, although sudo won´t work.
So, what is going on???

linux active-directory sssd

edited Mar 1 at 15:14

asked Mar 1 at 13:16

Adriano_epifas

edited Mar 1 at 15:14

asked Mar 1 at 13:16

Adriano_epifas

edited Mar 1 at 15:14

asked Mar 1 at 13:16

Adriano_epifas

asked Mar 1 at 13:16

Adriano_epifas

asked Mar 1 at 13:16

Adriano_epifas

I'm tempted to remove the sudo tag, since it seems (to me) that the core issue is that you're getting sporadic behavior with getent group MY_AD_GROUP.

– Jeff Schaller♦
Mar 1 at 15:06

@JeffSchaller it could be the case, since I´m under the impression the same is happening to SSH AllowGroups directive, although I have to confirm.

– Adriano_epifas
Mar 1 at 15:14

add a comment |

I'm tempted to remove the sudo tag, since it seems (to me) that the core issue is that you're getting sporadic behavior with getent group MY_AD_GROUP.

– Jeff Schaller♦
Mar 1 at 15:06

@JeffSchaller it could be the case, since I´m under the impression the same is happening to SSH AllowGroups directive, although I have to confirm.

– Adriano_epifas
Mar 1 at 15:14

I'm tempted to remove the sudo tag, since it seems (to me) that the core issue is that you're getting sporadic behavior with getent group MY_AD_GROUP.

– Jeff Schaller♦
Mar 1 at 15:06

@JeffSchaller it could be the case, since I´m under the impression the same is happening to SSH AllowGroups directive, although I have to confirm.

– Adriano_epifas
Mar 1 at 15:14

add a comment |

0

active

oldest

votes

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);

);

draft saved

draft discarded

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503781%2fsudoer-ad-domain-group-in-sudoer-file-won%25c2%25b4t-work%23new-answer', 'question_page');

);

Post as a guest

Name

Required, but never shown

0

active

oldest

votes

0

active

oldest

votes

draft saved

draft discarded

Thanks for contributing an answer to Unix & Linux Stack Exchange!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

搜尋此網誌

mjhjmtu