sudoer: AD domain group in sudoer file won´t work
Clash Royale CLAN TAG#URR8PPP
My server is joined to AD domain, and I used SSSD and realm to do so. I can log fine to the server using SSH and my AD credentials.
I wanted to allow my user to run sudo, so I added %MY_AD_GROUP ALL=(ALL) ALL
to my /etc/sudoers
. It won´t work. I then tried to add my domain like all of these:
%MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
%MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
%:MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
+MY_AD_GROUP ALL=(ALL) ALL
+MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
+MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
and none of them worked either.
If I run id:
$ id
uid=1953620811(my_user) gid=1953600513(domain users) groups=1953600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
it shows my user is indeed an AD user.
Something worth mentioning:
I first check a group I´m a member of in AD:
$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4
so, my_user is a member of MY_AD_GROUP, then I add it to /etc/sudoers
(via visudo) and try to run:
$ sudo echo a
[sudo] password for my_user:
my_user is not in the sudoers file. This incident will be reported.
I then check again MY_AD_GROUP:
$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,user3,user4
and my user disappeared from the list (but I know it is still a member of the AD group). And, as soon as I run $ sss_cache -E
and run:
$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4
the user show up again, although sudo won´t work.
So, what is going on???
linux active-directory sssd
add a comment |
My server is joined to AD domain, and I used SSSD and realm to do so. I can log fine to the server using SSH and my AD credentials.
I wanted to allow my user to run sudo, so I added %MY_AD_GROUP ALL=(ALL) ALL
to my /etc/sudoers
. It won´t work. I then tried to add my domain like all of these:
%MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
%MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
%:MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
+MY_AD_GROUP ALL=(ALL) ALL
+MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
+MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
and none of them worked either.
If I run id:
$ id
uid=1953620811(my_user) gid=1953600513(domain users) groups=1953600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
it shows my user is indeed an AD user.
Something worth mentioning:
I first check a group I´m a member of in AD:
$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4
so, my_user is a member of MY_AD_GROUP, then I add it to /etc/sudoers
(via visudo) and try to run:
$ sudo echo a
[sudo] password for my_user:
my_user is not in the sudoers file. This incident will be reported.
I then check again MY_AD_GROUP:
$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,user3,user4
and my user disappeared from the list (but I know it is still a member of the AD group). And, as soon as I run $ sss_cache -E
and run:
$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4
the user show up again, although sudo won´t work.
So, what is going on???
linux active-directory sssd
I'm tempted to remove the sudo tag, since it seems (to me) that the core issue is that you're getting sporadic behavior withgetent group MY_AD_GROUP
.
– Jeff Schaller♦
Mar 1 at 15:06
@JeffSchaller it could be the case, since I´m under the impression the same is happening to SSH AllowGroups directive, although I have to confirm.
– Adriano_epifas
Mar 1 at 15:14
add a comment |
My server is joined to AD domain, and I used SSSD and realm to do so. I can log fine to the server using SSH and my AD credentials.
I wanted to allow my user to run sudo, so I added %MY_AD_GROUP ALL=(ALL) ALL
to my /etc/sudoers
. It won´t work. I then tried to add my domain like all of these:
%MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
%MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
%:MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
+MY_AD_GROUP ALL=(ALL) ALL
+MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
+MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
and none of them worked either.
If I run id:
$ id
uid=1953620811(my_user) gid=1953600513(domain users) groups=1953600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
it shows my user is indeed an AD user.
Something worth mentioning:
I first check a group I´m a member of in AD:
$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4
so, my_user is a member of MY_AD_GROUP, then I add it to /etc/sudoers
(via visudo) and try to run:
$ sudo echo a
[sudo] password for my_user:
my_user is not in the sudoers file. This incident will be reported.
I then check again MY_AD_GROUP:
$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,user3,user4
and my user disappeared from the list (but I know it is still a member of the AD group). And, as soon as I run $ sss_cache -E
and run:
$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4
the user show up again, although sudo won´t work.
So, what is going on???
linux active-directory sssd
My server is joined to AD domain, and I used SSSD and realm to do so. I can log fine to the server using SSH and my AD credentials.
I wanted to allow my user to run sudo, so I added %MY_AD_GROUP ALL=(ALL) ALL
to my /etc/sudoers
. It won´t work. I then tried to add my domain like all of these:
%MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
%MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
%:MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
+MY_AD_GROUP ALL=(ALL) ALL
+MY_DOMAIN\MY_AD_GROUP ALL=(ALL) ALL
+MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
and none of them worked either.
If I run id:
$ id
uid=1953620811(my_user) gid=1953600513(domain users) groups=1953600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
it shows my user is indeed an AD user.
Something worth mentioning:
I first check a group I´m a member of in AD:
$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4
so, my_user is a member of MY_AD_GROUP, then I add it to /etc/sudoers
(via visudo) and try to run:
$ sudo echo a
[sudo] password for my_user:
my_user is not in the sudoers file. This incident will be reported.
I then check again MY_AD_GROUP:
$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,user3,user4
and my user disappeared from the list (but I know it is still a member of the AD group). And, as soon as I run $ sss_cache -E
and run:
$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4
the user show up again, although sudo won´t work.
So, what is going on???
linux active-directory sssd
linux active-directory sssd
edited Mar 1 at 15:14
Adriano_epifas
asked Mar 1 at 13:16
Adriano_epifasAdriano_epifas
83
83
I'm tempted to remove the sudo tag, since it seems (to me) that the core issue is that you're getting sporadic behavior withgetent group MY_AD_GROUP
.
– Jeff Schaller♦
Mar 1 at 15:06
@JeffSchaller it could be the case, since I´m under the impression the same is happening to SSH AllowGroups directive, although I have to confirm.
– Adriano_epifas
Mar 1 at 15:14
add a comment |
I'm tempted to remove the sudo tag, since it seems (to me) that the core issue is that you're getting sporadic behavior withgetent group MY_AD_GROUP
.
– Jeff Schaller♦
Mar 1 at 15:06
@JeffSchaller it could be the case, since I´m under the impression the same is happening to SSH AllowGroups directive, although I have to confirm.
– Adriano_epifas
Mar 1 at 15:14
I'm tempted to remove the sudo tag, since it seems (to me) that the core issue is that you're getting sporadic behavior with
getent group MY_AD_GROUP
.– Jeff Schaller♦
Mar 1 at 15:06
I'm tempted to remove the sudo tag, since it seems (to me) that the core issue is that you're getting sporadic behavior with
getent group MY_AD_GROUP
.– Jeff Schaller♦
Mar 1 at 15:06
@JeffSchaller it could be the case, since I´m under the impression the same is happening to SSH AllowGroups directive, although I have to confirm.
– Adriano_epifas
Mar 1 at 15:14
@JeffSchaller it could be the case, since I´m under the impression the same is happening to SSH AllowGroups directive, although I have to confirm.
– Adriano_epifas
Mar 1 at 15:14
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503781%2fsudoer-ad-domain-group-in-sudoer-file-won%25c2%25b4t-work%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503781%2fsudoer-ad-domain-group-in-sudoer-file-won%25c2%25b4t-work%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I'm tempted to remove the sudo tag, since it seems (to me) that the core issue is that you're getting sporadic behavior with
getent group MY_AD_GROUP
.– Jeff Schaller♦
Mar 1 at 15:06
@JeffSchaller it could be the case, since I´m under the impression the same is happening to SSH AllowGroups directive, although I have to confirm.
– Adriano_epifas
Mar 1 at 15:14