Edit Sudoers file to allow sudo rights to a AD domain group












1















I recently managed to get my Ubuntu Server 18.04 machine connected to my companies Windows AD. I am able to login with my AD credentials however I want to take it a step further...



This is the article I followed in order to get my Ubuntu 18.04 machine onto the windows domain, note I did not do any configuration on restricting ssh login to a domain group as I am still struggling.
https://www.smbadmin.com/2018/06/connecting-ubuntu-server-1804-to-active.html?showComment=1548915938955#c6716393705599388679



However....



The goal of what I am trying to achieve is as follows:




  • Add a line to /etc/sudoers file that specifies an AD group within my organization.

  • This groups members should have sudo access on the Linux machines in our organisation.


What I've done:




  • I tried adding lines like :

  • "nameofdomainnameofgroup ALL=(ALL:ALL) ALL"

  • And more.... However whenever I try to sudo with a user I know is in the group I receive the usual "...user not in sudoers... incident will be reported..."


What could be the reason for this? Is it perhaps due to the configurations I've specified when connecting the machine to the AD domain?



The full path to this group is as follows:
- domainname/Groups/Elab/Elab-Level3



Here is the configuration for my files used to join the AD domain:



krb5.conf



[libdefaults]
default_realm = MYREALM
dns_lookup_kdc = true
dns_lookup_realm = true


...... rest of file ........



realmd.conf



[users]
default-home = /home/%D/%U
default-shell = /bin/bash

[active-directory]
default-client = sssd
os-name = Ubuntu Server
os-version = 18.04

[service]
automatic-install = no

[mydomain]
fully-qualified-names = yes
automatic-id-mapping = no
user-principal = yes
manage-system = yes


sssd.conf



[sssd] 
domains = mydomain config_file_version = 2
services = nss, pam, ssh

[domain/mydomain]
ad_domain = mydomain
krb5_realm = MYDOMAIN
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad
ldap_user_ssh_public_key = altSecurityIdentities


I'm really hoping that someone here has the answer, I've searched many many threads and have not been able to crack this nut










share|improve this question



























    1















    I recently managed to get my Ubuntu Server 18.04 machine connected to my companies Windows AD. I am able to login with my AD credentials however I want to take it a step further...



    This is the article I followed in order to get my Ubuntu 18.04 machine onto the windows domain, note I did not do any configuration on restricting ssh login to a domain group as I am still struggling.
    https://www.smbadmin.com/2018/06/connecting-ubuntu-server-1804-to-active.html?showComment=1548915938955#c6716393705599388679



    However....



    The goal of what I am trying to achieve is as follows:




    • Add a line to /etc/sudoers file that specifies an AD group within my organization.

    • This groups members should have sudo access on the Linux machines in our organisation.


    What I've done:




    • I tried adding lines like :

    • "nameofdomainnameofgroup ALL=(ALL:ALL) ALL"

    • And more.... However whenever I try to sudo with a user I know is in the group I receive the usual "...user not in sudoers... incident will be reported..."


    What could be the reason for this? Is it perhaps due to the configurations I've specified when connecting the machine to the AD domain?



    The full path to this group is as follows:
    - domainname/Groups/Elab/Elab-Level3



    Here is the configuration for my files used to join the AD domain:



    krb5.conf



    [libdefaults]
    default_realm = MYREALM
    dns_lookup_kdc = true
    dns_lookup_realm = true


    ...... rest of file ........



    realmd.conf



    [users]
    default-home = /home/%D/%U
    default-shell = /bin/bash

    [active-directory]
    default-client = sssd
    os-name = Ubuntu Server
    os-version = 18.04

    [service]
    automatic-install = no

    [mydomain]
    fully-qualified-names = yes
    automatic-id-mapping = no
    user-principal = yes
    manage-system = yes


    sssd.conf



    [sssd] 
    domains = mydomain config_file_version = 2
    services = nss, pam, ssh

    [domain/mydomain]
    ad_domain = mydomain
    krb5_realm = MYDOMAIN
    realmd_tags = manages-system joined-with-adcli
    cache_credentials = True
    id_provider = ad
    krb5_store_password_if_offline = True
    default_shell = /bin/bash
    ldap_id_mapping = True
    use_fully_qualified_names = False
    fallback_homedir = /home/%u@%d
    access_provider = ad
    ldap_user_ssh_public_key = altSecurityIdentities


    I'm really hoping that someone here has the answer, I've searched many many threads and have not been able to crack this nut










    share|improve this question

























      1












      1








      1








      I recently managed to get my Ubuntu Server 18.04 machine connected to my companies Windows AD. I am able to login with my AD credentials however I want to take it a step further...



      This is the article I followed in order to get my Ubuntu 18.04 machine onto the windows domain, note I did not do any configuration on restricting ssh login to a domain group as I am still struggling.
      https://www.smbadmin.com/2018/06/connecting-ubuntu-server-1804-to-active.html?showComment=1548915938955#c6716393705599388679



      However....



      The goal of what I am trying to achieve is as follows:




      • Add a line to /etc/sudoers file that specifies an AD group within my organization.

      • This groups members should have sudo access on the Linux machines in our organisation.


      What I've done:




      • I tried adding lines like :

      • "nameofdomainnameofgroup ALL=(ALL:ALL) ALL"

      • And more.... However whenever I try to sudo with a user I know is in the group I receive the usual "...user not in sudoers... incident will be reported..."


      What could be the reason for this? Is it perhaps due to the configurations I've specified when connecting the machine to the AD domain?



      The full path to this group is as follows:
      - domainname/Groups/Elab/Elab-Level3



      Here is the configuration for my files used to join the AD domain:



      krb5.conf



      [libdefaults]
      default_realm = MYREALM
      dns_lookup_kdc = true
      dns_lookup_realm = true


      ...... rest of file ........



      realmd.conf



      [users]
      default-home = /home/%D/%U
      default-shell = /bin/bash

      [active-directory]
      default-client = sssd
      os-name = Ubuntu Server
      os-version = 18.04

      [service]
      automatic-install = no

      [mydomain]
      fully-qualified-names = yes
      automatic-id-mapping = no
      user-principal = yes
      manage-system = yes


      sssd.conf



      [sssd] 
      domains = mydomain config_file_version = 2
      services = nss, pam, ssh

      [domain/mydomain]
      ad_domain = mydomain
      krb5_realm = MYDOMAIN
      realmd_tags = manages-system joined-with-adcli
      cache_credentials = True
      id_provider = ad
      krb5_store_password_if_offline = True
      default_shell = /bin/bash
      ldap_id_mapping = True
      use_fully_qualified_names = False
      fallback_homedir = /home/%u@%d
      access_provider = ad
      ldap_user_ssh_public_key = altSecurityIdentities


      I'm really hoping that someone here has the answer, I've searched many many threads and have not been able to crack this nut










      share|improve this question














      I recently managed to get my Ubuntu Server 18.04 machine connected to my companies Windows AD. I am able to login with my AD credentials however I want to take it a step further...



      This is the article I followed in order to get my Ubuntu 18.04 machine onto the windows domain, note I did not do any configuration on restricting ssh login to a domain group as I am still struggling.
      https://www.smbadmin.com/2018/06/connecting-ubuntu-server-1804-to-active.html?showComment=1548915938955#c6716393705599388679



      However....



      The goal of what I am trying to achieve is as follows:




      • Add a line to /etc/sudoers file that specifies an AD group within my organization.

      • This groups members should have sudo access on the Linux machines in our organisation.


      What I've done:




      • I tried adding lines like :

      • "nameofdomainnameofgroup ALL=(ALL:ALL) ALL"

      • And more.... However whenever I try to sudo with a user I know is in the group I receive the usual "...user not in sudoers... incident will be reported..."


      What could be the reason for this? Is it perhaps due to the configurations I've specified when connecting the machine to the AD domain?



      The full path to this group is as follows:
      - domainname/Groups/Elab/Elab-Level3



      Here is the configuration for my files used to join the AD domain:



      krb5.conf



      [libdefaults]
      default_realm = MYREALM
      dns_lookup_kdc = true
      dns_lookup_realm = true


      ...... rest of file ........



      realmd.conf



      [users]
      default-home = /home/%D/%U
      default-shell = /bin/bash

      [active-directory]
      default-client = sssd
      os-name = Ubuntu Server
      os-version = 18.04

      [service]
      automatic-install = no

      [mydomain]
      fully-qualified-names = yes
      automatic-id-mapping = no
      user-principal = yes
      manage-system = yes


      sssd.conf



      [sssd] 
      domains = mydomain config_file_version = 2
      services = nss, pam, ssh

      [domain/mydomain]
      ad_domain = mydomain
      krb5_realm = MYDOMAIN
      realmd_tags = manages-system joined-with-adcli
      cache_credentials = True
      id_provider = ad
      krb5_store_password_if_offline = True
      default_shell = /bin/bash
      ldap_id_mapping = True
      use_fully_qualified_names = False
      fallback_homedir = /home/%u@%d
      access_provider = ad
      ldap_user_ssh_public_key = altSecurityIdentities


      I'm really hoping that someone here has the answer, I've searched many many threads and have not been able to crack this nut







      18.04 active-directory groups kerberos sssd






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 31 at 10:56









      Hunter LoweHunter Lowe

      209




      209






















          1 Answer
          1






          active

          oldest

          votes


















          2














          If group consists of single word then it should be sufficient to add following record to /etc/sudoers file:



          %ActiveDirectoryUserGroup ALL=(ALL:ALL) ALL


          If group contain spaces then record should look like:



          %Domain Users ALL=(ALL:ALL) ALL
          %Domain Admins ALL=(ALL:ALL) NOPASSWD:ALL
          %Linux Admins ALL=(ALL:ALL) NOPASSWD:ALL


          Here "Domain Users" , "Domain Admins", "Linux Admins" is group name in Active Directory






          share|improve this answer
























          • Your answer is EXACTLY what I needed. I did not realize that it is not necessary to specify the domain followed by the group. I don't have enough reputation to upvote your answer, however please note to anyone reading this, simply specifing "%ActiveDirectoryUserGroup ALL=(ALL:ALL) ALL" worked exactly as needed

            – Hunter Lowe
            Jan 31 at 12:35













          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "89"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1114364%2fedit-sudoers-file-to-allow-sudo-rights-to-a-ad-domain-group%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          2














          If group consists of single word then it should be sufficient to add following record to /etc/sudoers file:



          %ActiveDirectoryUserGroup ALL=(ALL:ALL) ALL


          If group contain spaces then record should look like:



          %Domain Users ALL=(ALL:ALL) ALL
          %Domain Admins ALL=(ALL:ALL) NOPASSWD:ALL
          %Linux Admins ALL=(ALL:ALL) NOPASSWD:ALL


          Here "Domain Users" , "Domain Admins", "Linux Admins" is group name in Active Directory






          share|improve this answer
























          • Your answer is EXACTLY what I needed. I did not realize that it is not necessary to specify the domain followed by the group. I don't have enough reputation to upvote your answer, however please note to anyone reading this, simply specifing "%ActiveDirectoryUserGroup ALL=(ALL:ALL) ALL" worked exactly as needed

            – Hunter Lowe
            Jan 31 at 12:35


















          2














          If group consists of single word then it should be sufficient to add following record to /etc/sudoers file:



          %ActiveDirectoryUserGroup ALL=(ALL:ALL) ALL


          If group contain spaces then record should look like:



          %Domain Users ALL=(ALL:ALL) ALL
          %Domain Admins ALL=(ALL:ALL) NOPASSWD:ALL
          %Linux Admins ALL=(ALL:ALL) NOPASSWD:ALL


          Here "Domain Users" , "Domain Admins", "Linux Admins" is group name in Active Directory






          share|improve this answer
























          • Your answer is EXACTLY what I needed. I did not realize that it is not necessary to specify the domain followed by the group. I don't have enough reputation to upvote your answer, however please note to anyone reading this, simply specifing "%ActiveDirectoryUserGroup ALL=(ALL:ALL) ALL" worked exactly as needed

            – Hunter Lowe
            Jan 31 at 12:35
















          2












          2








          2







          If group consists of single word then it should be sufficient to add following record to /etc/sudoers file:



          %ActiveDirectoryUserGroup ALL=(ALL:ALL) ALL


          If group contain spaces then record should look like:



          %Domain Users ALL=(ALL:ALL) ALL
          %Domain Admins ALL=(ALL:ALL) NOPASSWD:ALL
          %Linux Admins ALL=(ALL:ALL) NOPASSWD:ALL


          Here "Domain Users" , "Domain Admins", "Linux Admins" is group name in Active Directory






          share|improve this answer













          If group consists of single word then it should be sufficient to add following record to /etc/sudoers file:



          %ActiveDirectoryUserGroup ALL=(ALL:ALL) ALL


          If group contain spaces then record should look like:



          %Domain Users ALL=(ALL:ALL) ALL
          %Domain Admins ALL=(ALL:ALL) NOPASSWD:ALL
          %Linux Admins ALL=(ALL:ALL) NOPASSWD:ALL


          Here "Domain Users" , "Domain Admins", "Linux Admins" is group name in Active Directory







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 31 at 11:27









          ViktorViktor

          384




          384













          • Your answer is EXACTLY what I needed. I did not realize that it is not necessary to specify the domain followed by the group. I don't have enough reputation to upvote your answer, however please note to anyone reading this, simply specifing "%ActiveDirectoryUserGroup ALL=(ALL:ALL) ALL" worked exactly as needed

            – Hunter Lowe
            Jan 31 at 12:35





















          • Your answer is EXACTLY what I needed. I did not realize that it is not necessary to specify the domain followed by the group. I don't have enough reputation to upvote your answer, however please note to anyone reading this, simply specifing "%ActiveDirectoryUserGroup ALL=(ALL:ALL) ALL" worked exactly as needed

            – Hunter Lowe
            Jan 31 at 12:35



















          Your answer is EXACTLY what I needed. I did not realize that it is not necessary to specify the domain followed by the group. I don't have enough reputation to upvote your answer, however please note to anyone reading this, simply specifing "%ActiveDirectoryUserGroup ALL=(ALL:ALL) ALL" worked exactly as needed

          – Hunter Lowe
          Jan 31 at 12:35







          Your answer is EXACTLY what I needed. I did not realize that it is not necessary to specify the domain followed by the group. I don't have enough reputation to upvote your answer, however please note to anyone reading this, simply specifing "%ActiveDirectoryUserGroup ALL=(ALL:ALL) ALL" worked exactly as needed

          – Hunter Lowe
          Jan 31 at 12:35




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Ask Ubuntu!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1114364%2fedit-sudoers-file-to-allow-sudo-rights-to-a-ad-domain-group%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          How to make a Squid Proxy server?

          Is this a new Fibonacci Identity?

          19世紀