Active Directory – Add AD Domain User to sudoers from Command Line

active-directorysudo

I'm setting up an Ubuntu 11.04 server VM for use as a database server. It would make everyone's lives easier if we could have folks login using windows credentials and perhaps even make the machine work with the current AD-driven security we've got elsewhere.

The first leg of this was really easy to accomplish — apt-get install likewise-open and I was pretty much in business. The problem I'm having is getting our admins into the sudoers groups — I can't seem to get anything to take. I've tried:

a) usermod -aG sudoers [username]
b) adding the user names in several formats (DOMAIN\user, user@domain) to the sudoers file.

None of which seemed to take, I still get told "DOMAIN\user is not in the sudoers file. This incident will be reported."

So, how do I add non-local users to the sudoers?

Best Answer

I encounter this problem and here's my solution:

Edit /etc/sudoers: with the following entries

First check aduser using command id

#id <AD user>( #id domain\\aduser01 )

Results on mine:

SMB\aduser01@linux01:~/Desktop$ id smb\\aduser02
uid=914883676(SMB\aduser02) gid=914883073(SMB\domain^users) groups=914883073(SMB\domain^users),1544(BUILTIN\Administrators),1545(BUILTIN\Users),914883072(SMB\domain^admins)

getent passwd and gid NUMBERS doesn't work for me. DOMAIN\\domain^users works for me

%SMB\\domain^users ALL=(ALL) ALL

as we all know individual AD user works also

SMB\\<aduser01> ALL=(ALL) ALL

Related Solutions

Ubuntu – How to add Domain Admins to sudoers

This also worked for me:

%domain^admins ALL=(ALL:ALL) ALL

I assume this is because of the following commands used when setting up PBIS:

sudo /opt/pbis/bin/config UserDomainPrefix $domain
sudo /opt/pbis/bin/config AssumeDefaultDomain true
sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
sudo /opt/pbis/bin/config HomeDirTemplate %H/%U

This seems to make the domain accounts appear as local accounts to the system by assuming the domain name is before the login account. Therefore the domain name is not required by the sudoers list.

Any thoughts?

Sudo – Unable to Stat /etc/sudoers: No Such File or Directory

Ok. I have fixed my issue. And like I thought, it was not the file.

Solution

I had up until 10 minutes ago, only noticed that sudo wasn't working. As most of my work takes place in tmux, I never noticed my user account.

Upon first logging in I would get the following error:

-bash: /etc/profile Permission denied

And it would set me to: I have no name@<ipaddress> as my account.

So I did some research on this issue and found more results then the other issue. Including one result that was a perfect match for my situation, as found here.

The issue was that my /etc/ folder was missing the execute permission on the group. So executing: chmod g+x /etc fixed the issue after logging out and back in.

Thanks

Thanks for the help in the comments, the suggestions you gave were still valuable and helped narrow down the problem more. In the end it was far simpler then it seemed.