Adding sudoers file for Active Directory Group

Latest response

Hi,

I'm using sssd with the simple service provider to integrate my rhel 7 hosts into an Active Directory Domain. I would like to grant one group from Active Directory the permission to use sudo. This works while adding the following line to /etc/sudoers:

%t01.example.com  ALL=(ALL) ALL
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

Instead of editing the /etc/sudoers file I would like to add a file in /etc/sudoers.d/ which contains the information necessary. To do so I created the file /etc/sudoers.d/t01.example.com containing:

%t01.example.com  ALL=(ALL) ALL

But this does not work. The user trying to use sudo gets the error that he is not in the sudoers file. Are the any requirements for the file name or content?

Could someone explain what to do to get this working, please?

Best regards,
Joerg

Responses

From the sudoers(5) man page:

sudo will read each file in /etc/sudoers.d, skipping file names that end in ‘~’ or contain a ‘.’ character to avoid causing problems with package manager or editor temporary/backup files.

Your filename contains dot characters, so it will be skipped by sudo.

Matti is correct. Otherwise, AD configuration works well with SUDO.

Here is part of the setup:

a) Add in "listsep" stance in /etc/pam.d/password-auth. The only reason to do it is if you want access.conf to have comma-separated list of users to access local server.

(other lines truncated for brevity)
account     required      pam_access.so listsep=,
account     required      pam_faillock.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so
(other lines truncated for brevity)

b) Add ACLs for AD group or AD users in /etc/security/access.conf. For example:

+:Special AD Group:ALL
+:localuser1,someuser2,someADuser:ALL

c) Add in /etc/sudoers. If the AD group contain spaces, ensure they are escaped by backslash:

%Special\ AD\ Group ALL=(ALL) some_commands

Regards,

Dusan Baljevic

Ah, I missed that section in the manpage. Thany you!

You are welcome. We are all here to help each other :)

Dusan Baljevic

I did this on RHEL7 using sssd, and I did not enter the pam directives. (but if you need them, use them) I made a separate AD group to allow login (entered in sssd.conf, separate topic) and another AD group for sudoers using %name_of_group SERVERGROUP_DEFINED_EARLIER=(ROLE) LIST_OF_COMMANDS_DEFINED_EARLIER.

The man page for sudoers is actually one of the best man pages ... "known to man". Enter the man page, search for "fred" (really, no kidding) and you will find a plethera of relevant examples.

I also found on https://www.centos.org/forums/viewtopic.php?t=60141 that putting "group@DOMAIN.COM" worked for me.

It fulfilled my expectation.

hi there , I've installed rhel on vm ,once the installation is completed when I try to attach my username to the subscription-manager register --username --password --auto-attach

it complains about username not in sudoers file what am I doing wrong.

I can't do sudo yum date too

Hi Shabana,

Did you verify status of your SUDO files?

Some examples to help you:

# visudo -c

# getent -s files passwd | cut -f1 -d: | xargs -L1 sudo -l -U 

Regards,

Dusan Baljevic (amateur radio VK2COT)