I am the admin of several different servers and currently there is a different sudoers file on each one. This is getting slightly out of hand as quite often I need to give someone permissions to do something with sudo but it only gets done on one server. Is there an easy way of editing the sudoers file just on my central server and then distributing it by SFTP or something like that to the other servers in an easy way?
Mostly wondering how other sysadmins solve this problem, since the sudoers file doesn't seem to be remotely accessible with NIS, for example.
Operating system is SUSE Linux Enterprise Server 11 64-bit, but it shouldn't matter.
EDIT: Every machine will, for now, have the same sudoers file.
EDIT2: The accepted answer's comment was the closest to what I actually went ahead and did. I am right now using an SVN-supported puppet-installation and after a few headaches, it's working very well.
The absolute last thing I would want to do, is create a separate sudoers file, like Dave suggests. If you have a lot of machines, and only subtle differences apply (as is often the case), you really do not want this. It will generate a lot of overhead.
What you really want to do, is create one sudoers file. In that sudoers file, you can then define Host_Aliases for groups of systems for which you want a certain policy to apply. You can also make User_Aliases and whatnot. Done right, this gives you a huge benefit by having one file to edit, so it is easy to see what applies where and you don't have to worry about different versions of the sudoers file being deployed on different machines by accident.
New versions of sudo even support the sudoers.d directory in /etc, which might be of help too, but I haven't tried that yet.
Step 1. Setup an ldap server and configure all your machines to authenticate users and groups via ldap
Step 2. Create a master sudoers group in ldap, say yourcompany-sudoers. Give that group permission to sudo (with password) in the /etc/sudoers file on each machine.
Step 3. Create a sudoers-machinename group in ldap, add that group to /etc/sudoers on the corresponding machine.
With those three steps you don't need to edit the /etc/sudoers file after the machine is installed and you get a number of other benefits as well
For extra effect
Step 4. Setup puppet, cfengine, chef or similar, and deploy a templated sudoers file to each machine automatically.
/etc/sudoers can also be replaced with calls to a centralized LDAP server directly. All of the permissions and settings you would usually set on the local machine get set in LDAP.
http://www.gratisoft.us/sudo/man/sudoers.ldap.html
Alternatively, you could look into using version control (say git or mercurial) for some of your configuration files in /etc, put the sudoers file under said VCS, then have each machine pull its copy of the common configuration files from the repository.
you might want to consider likewise solution which is easy to implement and install (openlikewise is free of charge), for specific information on a sudoers policy look at this:
http://www.likewise.com/resources/documentation_library/manuals/lwe/group-policy-guide.html#TestSudo