Home / ubuntu / Questions / 1114364
Accepted
Hunter Lowe
Asked: 2019-02-01 02:56:31 +0800 CST

Edit Sudoers file to allow sudo rights to a AD domain group

  • 772

I recently managed to get my Ubuntu Server 18.04 machine connected to my companies Windows AD. I am able to login with my AD credentials however I want to take it a step further...

This is the article I followed in order to get my Ubuntu 18.04 machine onto the windows domain, note I did not do any configuration on restricting ssh login to a domain group as I am still struggling. https://www.smbadmin.com/2018/06/connecting-ubuntu-server-1804-to-active.html?showComment=1548915938955#c6716393705599388679

However....

The goal of what I am trying to achieve is as follows:

  • Add a line to /etc/sudoers file that specifies an AD group within my organization.
  • This groups members should have sudo access on the Linux machines in our organisation.

What I've done:

  • I tried adding lines like :
  • "nameofdomain\nameofgroup ALL=(ALL:ALL) ALL"
  • And more.... However whenever I try to sudo with a user I know is in the group I receive the usual "...user not in sudoers... incident will be reported..."

What could be the reason for this? Is it perhaps due to the configurations I've specified when connecting the machine to the AD domain?

The full path to this group is as follows: - domainname/Groups/Elab/Elab-Level3

Here is the configuration for my files used to join the AD domain:

krb5.conf

[libdefaults]
    default_realm = MYREALM
dns_lookup_kdc = true
dns_lookup_realm = true

...... rest of file ........

realmd.conf

[users]
 default-home = /home/%D/%U
 default-shell = /bin/bash

[active-directory]
 default-client = sssd
 os-name = Ubuntu Server
 os-version = 18.04

[service]
 automatic-install = no

[mydomain]
 fully-qualified-names = yes
 automatic-id-mapping = no
 user-principal = yes
 manage-system = yes

sssd.conf

[sssd] 
domains = mydomain config_file_version = 2
services = nss, pam, ssh

[domain/mydomain]
ad_domain = mydomain
krb5_realm = MYDOMAIN
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad
ldap_user_ssh_public_key = altSecurityIdentities

I'm really hoping that someone here has the answer, I've searched many many threads and have not been able to crack this nut

groups active-directory kerberos 18.04 sssd

4 Answers

  1. Best Answer

    If group consists of single word then it should be sufficient to add following record to /etc/sudoers file:

    %ActiveDirectoryUserGroup ALL=(ALL:ALL) ALL

    If group contain spaces then record should look like:

    %Domain\ Users ALL=(ALL:ALL) ALL
%Domain\ Admins ALL=(ALL:ALL) NOPASSWD:ALL
%Linux\ Admins ALL=(ALL:ALL) NOPASSWD:ALL

    Here "Domain\ Users" , "Domain\ Admins", "Linux\ Admins" is group name in Active Directory

    • 6

  2. I ran sudo visudo and I added this line:

    %[email protected]  ALL=(ALL:ALL) ALL

    and it finally works.

    • 1 
  3. %MYDOMAIN\\domain\ admins  ALL=(ALL) ALL

    DOMAIN NAME is UPPER-LETTER, group name is lower-letter, Separator[\] and Space are escape by '\'.

    • 0

  4. I achieved what You're after by creating a special domain user group - cansudo. The reason I did it this way was to separate being able to sudo from being a domain admin, while also differentiating from the local sudo group.

    Depending on whether You have default domain prefixed to users and groups, the line that will work is either:

    %MYDOMAIN\\cansudo ALL=(ALL:ALL) ALL

    or

    %cansudo ALL=(ALL:ALL) ALL

    I've been scratching my head about this for a long time and then decided to put both of these in just in case.

    • 0