Hey Everyone,

I am running CentOS 6.4 64 bit system running Winbind to authenticate to Active Directory. In our environment we have two AD Groups that can access these servers: UnixAdmins and UnixUsers. Depending on which AD group you are in, you have certain access rules via sudo. Here's a snippit from my sudoers file:

## Allows people in group wheel to run all commands
%ADDOMAIN\\UnixAdmin ALL=(ALL) ALL #gives AD group sudo rights
%ADDOMAIN\\UnixUsers ALL = NOPASSWD: /scripts/hotfix/deploy.sh, /scripts/hotfix/updateBuildVersion.sh

As you can tell from the entry in the sudoers file, anyone who assigned to the UnixAdmin group has sudo all. If they are assigned to the UnixUsers group, they have access to just TWO scripts that can run via no password.

So here is the interesting thing. In my /etc/security/pam_winbind.conf file, I have an entry which states:

require_membership_of = UnixAdmin,UnixUsers

This allows me to only allow these two active directory users to log into the Linux server. The problem is, when I try to run a script from our bastion host it gives me the error:

[ADDOMAIN\pconway@bastion~]$ ssh web60 sudo /scripts/hotfix/updateBuildVersion.sh
sudo: no tty present and no askpass program specified

Yet if I comment out that line in the pam_winbind.conf file, I don't get that error. Any reason why that would happen? I am at a loss. Thanks.

- Philippe

Hoping to get an answer to this. Any thoughts?

This doesn't look like a winbind problem to me. I've run into this before, and the root cause is that sudo refuses to run without a tty. When you issue a command directly as an argument to ssh, it, by default, does not give you a tty, and thus all sudo commands will fail.

The secret I found was to add the -t flag to ssh, which will force it to give you a tty. You might give that a try and see if it fixes your problem.