Sudo doesn't work on AD domain - RHEL8

Latest response

Hello,

I have 2 servers connected to Active Directory.

On the servers, i configured /etc/sudoers.d/domain_admins with the following line :

%MySudoGroup@domain.tld       ALL=(ALL)       ALL

On the first server, it works perfeclty but not on the second.
I checked all the possible parameters (those i know) but i don't see any difference between the 2 servers.

On the first on, when i use sudo, it comes like this :

[sudo] password for <user>

On the second, it comes like

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for <user>:

On the second case, it says me that the password is incorrect.

What's wrong? All ideas are welcome.

Regards,

Bertrand

Responses

The few isolated incidents I faced this on - the account was either locked in active directory OR locally on the system itself.

Take the steps incrementally and evaluate at each step of the way, please do not do all of them at once

  • Evaluate in Active Directory if the account shows as locked, and if so, unlock it
  • If that doesn't do it, go to the server in question where the issue is occurring and become the user, and type the groups command and see if it lists the expected groups.
  • Go to the system where the person cannot log in and run lastlog -C -u specific_userid_goes_here
  • Also, validate the /etc/nsswitch.conf file is properly set for sss for AD
  • only if needed... if none of the above works, consider clearing sssd cache such as PART of this solution
service sssd stop ; rm -rf /var/lib/sss/db/* ; service sssd start
systemctl is-active sssd && echo ok || echo failed

Then if that fails, submit a case with Red Hat mentioning this and also include an sosreport with your case to Red Hat if you open a case

Regards,
RJ