sudoer: AD domain group in sudoer file won´t work

Latest response

My server is joined to AD domain, and I used SSSD and realm to do so. I can log fine to the server using SSH and my AD credentials.
I wanted to allow my user to run sudo, so I added:

%MY_AD_GROUP ALL=(ALL) ALL

to my /etc/sudoers. It won´t work. I then tried to add my domain like all of these:

%MY_DOMAIN\\MY_AD_GROUP ALL=(ALL) ALL
%MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
%:MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL

and none of them worked either.
If I run id:

$ id
uid=1953620811(my_user) gid=1953600513(domain users) groups=1953600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

it shows my user is indeed an AD user.

Something worth mentioning:
I first check a group I´m a member of in AD:

$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4

so, my_user is a member of MY_AD_GROUP, then I add it to /etc/sudoers (via visudo) and try to run:

$ sudo echo a
[sudo] password for my_user:
my_user is not in the sudoers file.  This incident will be reported.

I then check again MY_AD_GROUP:

$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,user3,user4

and my user disappeared from the list (but I know it is still a member of the AD group). And, as soon as I run:

$ sss_cache -E

and run:

$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4

the user show up again, although sudo won´t work.
So, what is going on???

Responses

Does your AD group have any spaces in it? If it's like domain users it'd need an escape character so it'd be: %domain\ users

I think when I set mine up (forever ago, memory is rusty) I was able to do what you initially tried with %AD_Group without the domain name.

I´m sure my AD group doesn´t have spaces in it. Do you have any idea how I can debug this?

While looking around I saw that nested AD groups usually don't work so that may be the case here? Does adding a single AD user account into sudoers not work either? Trying to narrow down if it doesn't work at all or if there is an issue with the particular AD group you're trying to add.

Alex, I read it before that nested groups would not work so I made sure my user is a direct member of the group I´m referring to in sudoers. Adding my user directly in sudoers make it work, only the group I´m a member of fails.

Hmm so that's good at least, it's seeing your AD users and accepting them. Does /var/log/sssd have any info about the AD group name not existing or anything like that?

I did not realize logs were kept in /var/log/sssd, but unfortunately there´s no log from today (gpo_child.log, krb5_child.log, ldap_child.log, sssd.log, sssd_sudo.log are empty, all the others have content from at least 4 days ago).

I checked, though, sudo logs, and here is what´s logging.

with this in sudoers:

%MY_AD_GROUP ALL=(ALL)       ALL
Mar  7 16:30:06 my_server sudo: pam_sss(sudo:auth): authentication success; logname=my_user uid=1953620811 euid=0 tty=/dev/pts/5 ruser=my_user rhost= user=my_user 
Mar  7 16:30:06 my_server sudo: my_user : user NOT authorized on host ; TTY=pts/5 ; PWD=/home/MY_DOMAIN/my_user ; USER=root ; COMMAND=/bin/echo a

with this in sudoers:

my_user              ALL=(ALL)       ALL
Mar  7 16:32:59 my_server sudo: pam_sss(sudo:auth): authentication success; logname=my_user uid=1953620811 euid=0 tty=/dev/pts/5 ruser=my_user rhost= user=my_user 
Mar  7 16:32:59 my_server sudo: my_user : TTY=pts/5 ; PWD=/home/MY_DOMAIN/my_user ; USER=root ; COMMAND=/bin/echo a

Hi,

First point of check that I often see being a problem:

Is your AD group enabled with "Unix" flag?

It is done in AD GUI menu "Unix Account" where on needs to select "Unix-enabled" option.

Regards,

Dusan Baljevic (amateur radio VK2COT)

Dusan, isn´t that to have Linux as a DC or something alike? That led me to this, which gave me the idea it´s not my case. Also, I followed RHEL tutorial, which didn´t use samba to join linux to the domain, as far as I remember. Do I really need that Unix flag in AD? My AD doesn´t even show that tab.

Hi Adrian,

No, the place where I work actually uses Microsoft AD and "Unix-enabled" option is in there.

I also heard some mentioning POSIX attributes in relation to it.

I am not a Windows expert but I have seen that menu when my admin showed it to me.

Regards,

Dusan Baljevic (amateur radio VK2COT)

Hi, find a solution for this one, got the same problem. Define /etc/sudoers.d/10-sudoers-mine or whatever (cannot contiains . and space). Instead of using your AD group name like:

%MY_AD_GROUP ALL=(ALL) ALL

use:

"%domain admins" ALL=(ALL) ALL

or

"%domain users" ALL=(ALL) ALL

depends on what you need

That does the trick.