Configure sudo authentication for Active Directory group

Use visudo to modify the sudoers file for this type of authentication:

1. Comment out the two lines requesting the password of the target user (root) for sudo authentication:

#Defaults target pw  # ask for the password of the target user i.e. root
#ALL        ALL=(ALL) ALL    # WARNING! Only use this together with 'Defaults targetpw'!

2. Add a new line somewhere under the "## User privilege specification" comment describing the Domain and Group to be included when running commands through sudo.

For this step we'll be assuming that the AD Domain is named "DOMAIN1", the group is "domain admins", and that users in this AD group may run any command under any user.

2a. When using Winbind:

## User privilege specification
root ALL=(ALL) ALL
"%DOMAIN1\domain admins" ALL=(ALL) ALL

2b. When using SSSD, if DOMAIN1 is the default domain:

## User privilege specification
root ALL=(ALL) ALL
"%domain admins" ALL=(ALL) ALL

2c. When using SSSD, if DOMAIN1 is a trusted domain:

## User privilege specification
root ALL=(ALL) ALL
"%domain admins@DOMAIN1" ALL=(ALL) ALL

Before attempting to set up sudo to authenticate against an Active Directory Domain, make sure the SUSE Linux Enterprise system is properly configured with said AD Domain in the YaST Windows Domain Membership module.

Edit the /etc/sudoers file with caution. NEVER edit the file directly; instead, always use the visudo command to edit sudoers configuration as it will check for syntax errors which may result in a "lock out" situation.
 

Secondly, please note that these syntax recommendations are assuming several default parameters. Depending on how the client has been adjusted for an environment, the syntax needed may change. Some example parameters that can change the necessary syntax are:

For winbind in the /etc/samba/smb.conf:

winbind use default domain = yes
winbind separator = @

For sssd in the /etc/sssd/sssd.conf:

​​​​​​​use_fully_qualified_names = true
default_domain_suffix = <trusted domain>

The first winbind parameter may cause the "DOMAIN1\" to be unnecessary or to not work if it is the default domain. The second parameter would change the character used to separate the domain from the user to be different from the default "\" character to another, such as "@" in my example.

The first sssd parameter would require that the "@domain" portion be included even for the default domain. The second parameter would change which domain should not be included when providing users or groups.​​​​

​​​There could be other parameters that effect syntax behavior as well. We're unable to be completely exhaustive and have only tried to note the more common pitfalls. So note your configuration carefully!