Edit Sudoers file to allow sudo rights to a AD domain group
Solution 1
If group consists of single word then it should be sufficient to add following record to /etc/sudoers file:
%ActiveDirectoryUserGroup ALL=(ALL:ALL) ALL
If group contain spaces then record should look like:
%Domain\ Users ALL=(ALL:ALL) ALL
%Domain\ Admins ALL=(ALL:ALL) NOPASSWD:ALL
%Linux\ Admins ALL=(ALL:ALL) NOPASSWD:ALL
Here "Domain\ Users" , "Domain\ Admins", "Linux\ Admins" is group name in Active Directory
Solution 2
I ran sudo visudo
and I added this line:
%[email protected] ALL=(ALL:ALL) ALL
and it finally works.
Related videos on Youtube
Hunter Lowe
Updated on September 18, 2022Comments
-
Hunter Lowe over 1 year
I recently managed to get my Ubuntu Server 18.04 machine connected to my companies Windows AD. I am able to login with my AD credentials however I want to take it a step further...
This is the article I followed in order to get my Ubuntu 18.04 machine onto the windows domain, note I did not do any configuration on restricting ssh login to a domain group as I am still struggling. https://www.smbadmin.com/2018/06/connecting-ubuntu-server-1804-to-active.html?showComment=1548915938955#c6716393705599388679
However....
The goal of what I am trying to achieve is as follows:
- Add a line to /etc/sudoers file that specifies an AD group within my organization.
- This groups members should have sudo access on the Linux machines in our organisation.
What I've done:
- I tried adding lines like :
- "nameofdomain\nameofgroup ALL=(ALL:ALL) ALL"
- And more.... However whenever I try to sudo with a user I know is in the group I receive the usual "...user not in sudoers... incident will be reported..."
What could be the reason for this? Is it perhaps due to the configurations I've specified when connecting the machine to the AD domain?
The full path to this group is as follows: - domainname/Groups/Elab/Elab-Level3
Here is the configuration for my files used to join the AD domain:
krb5.conf
[libdefaults] default_realm = MYREALM dns_lookup_kdc = true dns_lookup_realm = true
...... rest of file ........
realmd.conf
[users] default-home = /home/%D/%U default-shell = /bin/bash [active-directory] default-client = sssd os-name = Ubuntu Server os-version = 18.04 [service] automatic-install = no [mydomain] fully-qualified-names = yes automatic-id-mapping = no user-principal = yes manage-system = yes
sssd.conf
[sssd] domains = mydomain config_file_version = 2 services = nss, pam, ssh [domain/mydomain] ad_domain = mydomain krb5_realm = MYDOMAIN realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u@%d access_provider = ad ldap_user_ssh_public_key = altSecurityIdentities
I'm really hoping that someone here has the answer, I've searched many many threads and have not been able to crack this nut
-
Hunter Lowe about 5 yearsYour answer is EXACTLY what I needed. I did not realize that it is not necessary to specify the domain followed by the group. I don't have enough reputation to upvote your answer, however please note to anyone reading this, simply specifing "%ActiveDirectoryUserGroup ALL=(ALL:ALL) ALL" worked exactly as needed