Linux commands to add an Active Directory group in Sudoers file
Note: Messing with the sudoers
file has some risk. Before starting, things to think about include:
System backups
A physical root shell (in a properly configured ssh environment root should be dis-sallowed from logging into a system over ssh)
Familiarity with booting off a live cd to "fix" whatever is broken
Assuming you have AD integration already in place,
groups
will list all the groups that a user has, this is important so that you get the proper casing for the group name.
take that and then add it to /etc/sudoers
file. I use nano
and add one of these lines at the bottom of the file.
%domain\groupname ALL=(ALL) ALL
or
%groupname ALL=(ALL) ALL
A domain may or may not be needed. That is a function of other decisions in setting up the AD authentication integration. If AD authenticated users are dumped into /home/<DOMAIN>/<username>
, then you'll most likely need the exact same name as DOMAIN in the sudoers
file.
To automate this from a script, call
echo "%groupname ALL=(ALL)ALL" >> /etc/sudoers
Related videos on Youtube
tset
Updated on September 18, 2022Comments
-
tset over 1 year
What is the Linux (Red Hat) command to add a Active Directory (AD) group in
sudoers
file to restrict the local admin access to the members of the group?For eg, I have an AD group
linux-admin
and I would like to add this line%test.com\linux-admin ALL=(ALL) ALL
-
tset over 7 yearsThat's great. But how do I add this line to the file without opening the file. The reason I am trying to do this is to automate this.
-
John over 7 yearsI added a automation note. Backup sudoers before you do this, and re-verify after to make sure it's right.
-
roaima over 7 yearsNot only take a backup, but make sure you have a root shell open somewhere too
-
John over 7 yearsI wasn't looking beyond the question, but you're right. If considerations aren't included, someone will do this without proper preparation. I added a note at the top to clarify things.