Add AD Domain user to sudoers from the command line
I encounter this problem and here's my solution:
Edit /etc/sudoers: with the following entries
First check aduser using command id
#id <AD user>( #id domain\\aduser01 )
Results on mine:
SMB\aduser01@linux01:~/Desktop$ id smb\\aduser02
uid=914883676(SMB\aduser02) gid=914883073(SMB\domain^users) groups=914883073(SMB\domain^users),1544(BUILTIN\Administrators),1545(BUILTIN\Users),914883072(SMB\domain^admins)
getent passwd and gid NUMBERS doesn't work for me. DOMAIN\\domain^users works for me
%SMB\\domain^users ALL=(ALL) ALL
as we all know individual AD user works also
SMB\\<aduser01> ALL=(ALL) ALL
we have a long domain name with .local sufix,
neighter the
%domainname\\group ALL=(ALL) ALL
nor the
%domainname.local\\group ALL=(ALL) ALL
worked...
but if I only use the groupname like this:
%Domain^Admins ALL=(ALL) ALL
it works.
The problem with the other suggestions is that
- they only work when you have access to the corporate LAN (or VPN)
- you have to maintain the sudoers file on each and every computer all the time
- as a bonus, they didn't work for me - at all
Instead, I wanted something that
- caches both the credentials and the sudo access
- is centrally managed
The actual solution is using SSSD and extending the AD schema. This way SSSD fetches sudo settings and user credentials periodically from AD and maintains a local cache of them. The sudo rules are then stored in AD objects, where you can restrict rules to computers, users and commands, even - all that without ever touching a sudoers file on the workstations.
The exact tutorial is way too long to explain here, but you can find the step-by-step guide and some scripts to help with automation here:
- Integrating Ubuntu with Active Directory
TL;DR:
AD
Grab the latest release of sudo, get the doc/schema.ActiveDirectory file, then import it (make sure to modify the domain path according to your domain name):
ldifde -i -f schema.ActiveDirectory -c "CN=Schema,CN=Configuration,DC=X" "CN=Schema,CN=Configuration,DC=ad,DC=foobar,DC=com" -j .
Verify it with ADSI Edit: open the Schema naming context and look for the sudoRole class.
Now create the sudoers OU on your domain root, this OU will hold all the sudo settings for all your Linux workstations. Under this OU, create a sudoRole object. To create the sudoRole object you have to use ADSI Edit, but once created, you can use Active Directory Users and Computers to modify it.
Let's assume I have a computer named foo32linux, a user called stewie.griffin and I want to let him run all commands with sudo on that comp. In this case, I create a sudoRole object under the sudoers OU. For the sudoRole you can use any name you want - I stick with the computer name since I use per-computer rules. Now set its attributes as follows:
- sudoHost: foo32linux
- sudoCommand: ALL
- sudoUser: stewie.griffin
For commands you can use specific entries as well, like /bin/less or whatever.
SSSD
Add to your /etc/sssd/sssd.conf, at least:
[sssd]
services = nss, pam, sudo
[domain/AD.FOOBAR.COM]
cache_credentials = True
SSSD refreshes its local cache with the updated rules every few hours, but the simplest way to test it is to just reboot the computer. Then log in with the AD user and check:
sudo -l
It should list all the related entires you added to that user and computer. Easy-peasy!