Add AD Domain user to sudoers from the command line
Solution 1
I encounter this problem and here's my solution:
Edit /etc/sudoers
: with the following entries
First check aduser using command id
#id <AD user>( #id domain\\aduser01 )
Results on mine:
SMB\aduser01@linux01:~/Desktop$ id smb\\aduser02
uid=914883676(SMB\aduser02) gid=914883073(SMB\domain^users) groups=914883073(SMB\domain^users),1544(BUILTIN\Administrators),1545(BUILTIN\Users),914883072(SMB\domain^admins)
getent passwd
and gid NUMBERS
doesn't work for me. DOMAIN\\domain^users
works for me
%SMB\\domain^users ALL=(ALL) ALL
as we all know individual AD user works also
SMB\\<aduser01> ALL=(ALL) ALL
Solution 2
we have a long domain name with .local sufix,
neighter the
%domainname\\group ALL=(ALL) ALL
nor the
%domainname.local\\group ALL=(ALL) ALL
worked...
but if I only use the groupname like this:
%Domain^Admins ALL=(ALL) ALL
it works.
Solution 3
I use the common command
sudo usermod -a -G sudo DOMAIN\username
and replace DOMAIN\user
with DOMAIN\\\username
.
Solution 4
The problem with the other suggestions is that
- they only work when you have access to the corporate LAN (or VPN)
- you have to maintain the sudoers file on each and every computer all the time
- as a bonus, they didn't work for me - at all
Instead, I wanted something that
- caches both the credentials and the sudo access
- is centrally managed
The actual solution is using SSSD and extending the AD schema. This way SSSD fetches sudo settings and user credentials periodically from AD and maintains a local cache of them. The sudo rules are then stored in AD objects, where you can restrict rules to computers, users and commands, even - all that without ever touching a sudoers file on the workstations.
The exact tutorial is way too long to explain here, but you can find the step-by-step guide and some scripts to help with automation here:
TL;DR:
AD
Grab the latest release of sudo, get the doc/schema.ActiveDirectory file, then import it (make sure to modify the domain path according to your domain name):
ldifde -i -f schema.ActiveDirectory -c "CN=Schema,CN=Configuration,DC=X" "CN=Schema,CN=Configuration,DC=ad,DC=foobar,DC=com" -j .
Verify it with ADSI Edit: open the Schema naming context and look for the sudoRole class.
Now create the sudoers OU on your domain root, this OU will hold all the sudo settings for all your Linux workstations. Under this OU, create a sudoRole object. To create the sudoRole object you have to use ADSI Edit, but once created, you can use Active Directory Users and Computers to modify it.
Let's assume I have a computer named foo32linux, a user called stewie.griffin and I want to let him run all commands with sudo on that comp. In this case, I create a sudoRole object under the sudoers OU. For the sudoRole you can use any name you want - I stick with the computer name since I use per-computer rules. Now set its attributes as follows:
- sudoHost: foo32linux
- sudoCommand: ALL
- sudoUser: stewie.griffin
For commands you can use specific entries as well, like /bin/less or whatever.
SSSD
Add to your /etc/sssd/sssd.conf, at least:
[sssd]
services = nss, pam, sudo
[domain/AD.FOOBAR.COM]
cache_credentials = True
SSSD refreshes its local cache with the updated rules every few hours, but the simplest way to test it is to just reboot the computer. Then log in with the AD user and check:
sudo -l
It should list all the related entires you added to that user and computer. Easy-peasy!
Solution 5
My preferred answer would be @bviktor's, but I am not yet an advanced enough domain administrator. None of the other answers above worked for me. I always got the same error message reported by OP. The format of the error message suggests to me that the entries in sudoers are case-sensitive, but I have never seen any discussion of this in the numerous posts I have read on this subject. For example, some posts suggest the group name "Domain^Admins", whereas others suggest "domain^admins". Neither worked in my case. On the DC (a Synology DS), the group is displayed as "Domain Admins", but on the client PC (running Ubuntu Studio 18.04), the command "id" returns the group as "domain admins".
What did work for me was to use:
sudo visudo
as described above to add a single user instead of a group:
[email protected] ALL=(ALL) ALL
to the end of sudoers.
Related videos on Youtube
Wyatt Barnett
Updated on September 18, 2022Comments
-
Wyatt Barnett over 1 year
I'm setting up an Ubuntu 11.04 server VM for use as a database server. It would make everyone's lives easier if we could have folks login using windows credentials and perhaps even make the machine work with the current AD-driven security we've got elsewhere.
The first leg of this was really easy to accomplish --
apt-get install likewise-open
and I was pretty much in business. The problem I'm having is getting our admins into the sudoers groups -- I can't seem to get anything to take. I've tried:a)
usermod -aG sudoers [username]
b) adding the user names in several formats (DOMAIN\user, user@domain) to the sudoers file.None of which seemed to take, I still get told "DOMAIN\user is not in the sudoers file. This incident will be reported."
So, how do I add non-local users to the sudoers?
-
Wyatt Barnett over 12 yearsThanks really could not figure out where to look. For the record, DOMIAN\\username works for individuals.
-
TheWanderer over 8 yearsIt may be long but, since links become invalid, it is a rule that the essential parts be included here, with the link for reference.
-
bviktor over 8 yearsActually, I added the essential parts, i.e. the concept. I could cherry-pick some other parts but they're useless without the rest and without understanding the big picture, so I fail to see the point. It'd do more harm than good.
-
TheWanderer over 8 yearsis a rule of AskUbuntu that someone who comes along needs to be able to look at your answer and solve their issue without going to an external site.
-
bviktor over 8 yearsAdded more relevant info.
-
mjp about 7 yearsThis was the solution that worked in the end.
%Domain^Admins ALL=(ALL) ALL
-
mrtumnus over 3 yearsThe
%<domain>\\<group>
method didn't work for me. I had to use%<group_with_underscores>
, probably because I have my samba/winbind set withwinbind use default domain
andwinbind normalize names
set toyes
.