Adding sudoers file for Active Directory Group

Latest response


I'm using sssd with the simple service provider to integrate my rhel 7 hosts into an Active Directory Domain. I would like to grant one group from Active Directory the permission to use sudo. This works while adding the following line to /etc/sudoers:  ALL=(ALL) ALL
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

Instead of editing the /etc/sudoers file I would like to add a file in /etc/sudoers.d/ which contains the information necessary. To do so I created the file /etc/sudoers.d/ containing:  ALL=(ALL) ALL

But this does not work. The user trying to use sudo gets the error that he is not in the sudoers file. Are the any requirements for the file name or content?

Could someone explain what to do to get this working, please?

Best regards,


From the sudoers(5) man page:

sudo will read each file in /etc/sudoers.d, skipping file names that end in ‘~’ or contain a ‘.’ character to avoid causing problems with package manager or editor temporary/backup files.

Your filename contains dot characters, so it will be skipped by sudo.

Matti is correct. Otherwise, AD configuration works well with SUDO.

Here is part of the setup:

a) Add in "listsep" stance in /etc/pam.d/password-auth. The only reason to do it is if you want access.conf to have comma-separated list of users to access local server.

(other lines truncated for brevity)
account     required listsep=,
account     required
account     required
account     sufficient
account     sufficient uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required
(other lines truncated for brevity)

b) Add ACLs for AD group or AD users in /etc/security/access.conf. For example:

+:Special AD Group:ALL

c) Add in /etc/sudoers. If the AD group contain spaces, ensure they are escaped by backslash:

%Special\ AD\ Group ALL=(ALL) some_commands


Dusan Baljevic

Ah, I missed that section in the manpage. Thany you!

You are welcome. We are all here to help each other :)

Dusan Baljevic

I did this on RHEL7 using sssd, and I did not enter the pam directives. (but if you need them, use them) I made a separate AD group to allow login (entered in sssd.conf, separate topic) and another AD group for sudoers using %name_of_group SERVERGROUP_DEFINED_EARLIER=(ROLE) LIST_OF_COMMANDS_DEFINED_EARLIER.

The man page for sudoers is actually one of the best man pages ... "known to man". Enter the man page, search for "fred" (really, no kidding) and you will find a plethera of relevant examples.

I also found on that putting "group@DOMAIN.COM" worked for me.

It fulfilled my expectation.

hi there , I've installed rhel on vm ,once the installation is completed when I try to attach my username to the subscription-manager register --username --password --auto-attach

it complains about username not in sudoers file what am I doing wrong.

I can't do sudo yum date too

Hi Shabana,

Did you verify status of your SUDO files?

Some examples to help you:

# visudo -c

# getent -s files passwd | cut -f1 -d: | xargs -L1 sudo -l -U 


Dusan Baljevic (amateur radio VK2COT)