Configure sudo authentication for Active Directory group
This document (7018675) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 15 SP 1
SUSE Linux Enterprise Server 12 SP 5
SUSE Linux Enterprise Server 12 SP 4
SUSE Linux Enterprise Server 12 SP 3
SUSE Linux Enterprise Server 12 SP 2
SUSE Linux Enterprise Server 11 SP 4
Use visudo to modify the sudoers file for this type of authentication:
1. Comment out the two lines requesting the password of the target user (root) for sudo authentication:
#Defaults target pw # ask for the password of the target user i.e. root #ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
2. Add a new line somewhere under the "## User privilege specification" comment describing the Domain and Group to be included when running commands through sudo.
For this step we'll be assuming that the AD Domain is named "DOMAIN1", the group is "domain admins", and that users in this AD group may run any command under any user.
2a. When using Winbind:
## User privilege specification root ALL=(ALL) ALL "%DOMAIN1\domain admins" ALL=(ALL) ALL
2b. When using SSSD, if DOMAIN1 is the default domain:
## User privilege specification root ALL=(ALL) ALL "%domain admins" ALL=(ALL) ALL
2c. When using SSSD, if DOMAIN1 is a trusted domain:
## User privilege specification root ALL=(ALL) ALL "%domain admins@DOMAIN1" ALL=(ALL) ALL
Before attempting to set up sudo to authenticate against an Active Directory Domain, make sure the SUSE Linux Enterprise system is properly configured with said AD Domain in the YaST Windows Domain Membership module.
Edit the /etc/sudoers file with caution. NEVER edit the file directly; instead, always use the visudo command to edit sudoers configuration as it will check for syntax errors which may result in a "lock out" situation.
Secondly, please note that these syntax recommendations are assuming several default parameters. Depending on how the client has been adjusted for an environment, the syntax needed may change. Some example parameters that can change the necessary syntax are:
For winbind in the /etc/samba/smb.conf:
winbind use default domain = yes winbind separator = @
For sssd in the /etc/sssd/sssd.conf:
use_fully_qualified_names = true default_domain_suffix = <trusted domain>
The first winbind parameter may cause the "DOMAIN1\" to be unnecessary or to not work if it is the default domain. The second parameter would change the character used to separate the domain from the user to be different from the default "\" character to another, such as "@" in my example.
The first sssd parameter would require that the "@domain" portion be included even for the default domain. The second parameter would change which domain should not be included when providing users or groups.
There could be other parameters that effect syntax behavior as well. We're unable to be completely exhaustive and have only tried to note the more common pitfalls. So note your configuration carefully!
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7018675
- Creation Date: 28-Feb-2017
- Modified Date:08-Jun-2022
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com