Create a domain group, linux_admin_sg, for example, give it a group ID < 999 and grant that group rights in sudoers.
Conversely you could modify the default MINGID variable to a value greater than 1000 and recompile yp. It's not replicating the GIDs that don't have groups attached to them, so it's a wash as far as network/compute is concerned. My thinking would be, if you're in sudoers, you already have more rights than any system account or group other than wheel, so what's the downside of low-balling the GID?
You're looking at a security question. On high security instances/servers, they actually disable domain level groups and users so that only local users can access them and pull rights from local groups. That makes them a serious pain in the neck to admin, you need a guy who has an account on the instance to work on it, however it's about as secure as you can make it in an enterprise environment.
Always a trade off.
|