Sudoers and Active Directory issues

whositwhatnow · 01-05-2015, 09:11 AM

Hello,

I've recently setup a test box to authenticate to our AD servers. That works no issues, but i want to add an AD group to the sudoers file. I've followed the following example:

Adding entries to /etc/sudoers

Adding the following entry to /etc/sudoers would allow you to give full sudo permissions to an AD group named ITadmins:

%DOMAIN\\ITadmins ALL=(ALL) ALL
Because a number of AD groups have spaces in the names, you’ll need to escape the spaces using backslashes. For example. adding the following entry to /etc/sudoers would allow you to give full sudo permissions to an AD group named Group Name With Spaces:

%DOMAIN\\Group\ Name\ With\ Spaces ALL=(ALL) ALL

Im running RHEL 6.6, I can get correct info from AD, but i cannot sudo with a valid user in a specified group. I need to be able to add different groups for access to different servers.

Any help would be great

grantd1987 · 01-05-2015, 06:48 PM

Hi there.

We recently did this and let's assume the following:

domain is Example.com
netbios name EX
group is Domain Admins

since we were only using a single domain, we just added:

%domain\ admins ALL=(ALL) ALL

But you might get it to also work as:

%example.com\\domain\ admins ALL=(ALL) ALL
%ex\\domain\ admins ALL=(ALL) ALL

I did notice that the AD Groups showed up as all lowercase for us, when in AD, they are mixed case

whositwhatnow · 01-05-2015, 08:24 PM

thanks grantd1987, i'm gonna try out yoru suggestions, will follow up with outputs.

oh forgot to mention im just authenticating with AD using kerberos

grantd1987 · 01-06-2015, 10:01 AM

We are using kerberos as well

whositwhatnow · 01-06-2015, 10:32 AM

So followed both syntaxes and no go the users in the group are getting error user is not in sudoers file.

grantd1987 · 01-06-2015, 02:53 PM

If you type "groups" when logged in, do you see the list of AD groups associated with that account?

whositwhatnow · 01-06-2015, 03:17 PM

no ad groups at all

grantd1987 · 01-06-2015, 03:19 PM

Okay. That could be the difference. Let me pull the config/setup off our server and generalize it and post it here. That might help.

grantd1987 · 01-06-2015, 07:24 PM

Okay, after a quick collaboration, this is how we set it up

yum -y install authconfig krb5-workstation pam_krb5 samba-common oddjob-mkhomedir sudo ntp

authconfig --disablecache --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=UOI --smbrealm=EXAMPLE.COM --enablewinbindusedefaultdomain --winbindtemplatehomedir=/home/example.com/%U --winbindtemplateshell=/bin/bash --enablekrb5 --krb5realm=EXAMPLE.COM --enablekrb5kdcdns --enablekrb5realmdns --enablelocauthorize --enablemkhomedir --enablepamaccess --updateall

/etc/init.d/winbind stop

vi /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]

EXAMPLE.COM = {
kdc = ldap.example.com
admin_server = ldap.example.com
kdc = ldap.example.com
}

example.com = {
}

[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM

authconfig-tui

The next is ASCII text of the screens followed by the buttons selected

┌────────────────┤ Authentication Configuration ├─────────────────┐
│ │
│ User Information Authentication │
│ [ ] Cache Information [ ] Use MD5 Passwords │
│ [ ] Use LDAP[*] Use Shadow Passwords │
│ [ ] Use NIS [ ] Use LDAP Authentication │
│ [ ] Use IPAv2[*] Use Kerberos │
│[*] Use Winbind [ ] Use Fingerprint reader │
│[*] Use Winbind Authentication │
│[*] Local authorization is sufficient |
│ │
│ ┌────────┐ ┌──────┐ │
│ │ Cancel │ │ Next │ │
│ └────────┘ └──────┘ │
│ │
│ │
└─────────────────────────────────────────────────────────────────┘

Select "Next"

┌─────────────────┤ Kerberos Settings ├──────────────────┐
│ │
│ Realm: EXAMPLE.COM_____________________________ │
│ KDC: dc1.example.com,dc2.example.com_________ │
│ Admin Server: dc1.example.com_________________________ │
│[*] Use DNS to resolve hosts to realms │
│[*] Use DNS to locate KDCs for realms │
│ │
│ ┌──────┐ ┌──────┐ │
│ │ Back │ │ Next │ │
│ └──────┘ └──────┘ │
│ │
│ │
└────────────────────────────────────────────────────────┘

Select "Next"

┌─────────────────────┤ Winbind Settings ├─────────────────────┐
│ │
│ Security Model: (*) ads │
│ ( ) domain │
│ Domain: EX______________________________________ │
│ Domain Controllers: ________________________________________ │
│ ADS Realm: EXAMPLE.COM_____________________________ │
│ Template Shell: ( ) /sbin/nologin │
│ ( ) /bin/sh │
│ (*) /bin/bash │
│ ( ) /bin/ksh │
│ │
│ ┌──────┐ ┌─────────────┐ ┌────┐ │
│ │ Back │ │ Join Domain │ │ Ok │ │
│ └──────┘ └─────────────┘ └────┘ │
│ │
│ │
└──────────────────────────────────────────────────────────────┘

Select "Join Domain"
Select "Ok"

/etc/init.d/winbind restart

whositwhatnow · 01-07-2015, 08:34 AM

thanks for this, I wasnt using windbind, im wondering if that was the issue.