sudoer: AD domain group in sudoer file won´t work
My server is joined to AD domain, and I used SSSD and realm to do so. I can log fine to the server using SSH and my AD credentials.
I wanted to allow my user to run sudo, so I added:
%MY_AD_GROUP ALL=(ALL) ALL
to my /etc/sudoers. It won´t work. I then tried to add my domain like all of these:
%MY_DOMAIN\\MY_AD_GROUP ALL=(ALL) ALL
%MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
%:MY_AD_GROUP@MY_DOMAIN ALL=(ALL) ALL
and none of them worked either.
If I run id:
$ id
uid=1953620811(my_user) gid=1953600513(domain users) groups=1953600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
it shows my user is indeed an AD user.
Something worth mentioning:
I first check a group I´m a member of in AD:
$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4
so, my_user is a member of MY_AD_GROUP, then I add it to /etc/sudoers (via visudo) and try to run:
$ sudo echo a
[sudo] password for my_user:
my_user is not in the sudoers file. This incident will be reported.
I then check again MY_AD_GROUP:
$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,user3,user4
and my user disappeared from the list (but I know it is still a member of the AD group). And, as soon as I run:
$ sss_cache -E
and run:
$ getent group MY_AD_GROUP
MY_AD_GROUP:*:1953654054:user1,my_user,user3,user4
the user show up again, although sudo won´t work.
So, what is going on???