I'm using openSUSE 11.4 which has Active Directory configuration built-in to Yast (which does all the pam_winbind, Kerberos, nss, Samba-client stuff for you) and I can successfully authenticate against my AD domain.
I created an AD group called LinuxAdmins and I'd like to have a way for people in that group to either be able to su on certain Linux servers without the root password or sudo on those machines using their own passwords.
The way openSUSE configures AD, it sets the username with the domain prefixed. So my username would be MYDOMAN\djsumdog. If I try adding either of the following lines to the sudoers file, I still can't sudo with my user. I keep getting "MYDOMAIN\djsumdog is not in the sudoers file. This incident will be reported." I've tried both single and double slashes for the user and group names.
%MYDOMAIN\LinuxAdmins ALL=(ALL) ALL
MYDOMAIN\djsumdog ALL=(ALL) ALL
I know on my Gentoo box, the following line in /etc/pam.d/su allows users in the wheel group to su without a password:
auth sufficient pam_wheel.so use_uid trust
But this doesn't seem to work in openSUSE (even with local users), much less AD users. I tried using the pam_winbind.so module as well:
#%PAM-1.0
auth sufficient pam_rootok.so
auth include common-auth
auth sufficient pam_winbind.so require_membership_of=MYDOMAIN\\LinuxAdmins
account sufficient pam_rootok.so
account include common-account
password include common-password
session include common-session
session optional pam_xauth.so
But I don't think that will work as the require_membership_of parameter seems to be for the primary authentication against the entire machine.
I know sudo with the user's password is more secure, but I would happy if I could get either su or sudo working by validating the user against his or her AD group.
Per Hadyman5's comment, I ran the following:
...and saw that my group was actually MYDOMAIN\linuxadmins, all lower case. I then added the following to my sudo configuration:
And sudo works fine now with the users in that group.
Using the directions to add a centos 7 box to my 2012r2 domain located Here, I was able to add to my domain. Adding a AD group to sudoers required me to format the group as
%GroupName@DOMAIN ALL=(ALL) ALL
and it worked.