SUSE Support

Here When You Need Us

Configure sudo authentication for Active Directory group

This document (7018675) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 SP 2
SUSE Linux Enterprise Server 15 SP 1
SUSE Linux Enterprise Server 12 SP 5
SUSE Linux Enterprise Server 12 SP 4
SUSE Linux Enterprise Server 12 SP 3
SUSE Linux Enterprise Server 12 SP 2
SUSE Linux Enterprise Server 11 SP 4

Situation

Administrator user accounts managing SLES systems are configured in an Active Directory domain.

Resolution

Use visudo to modify the sudoers file for this type of authentication:

1. Comment out the two lines requesting the password of the target user (root) for sudo authentication:

#Defaults target pw  # ask for the password of the target user i.e. root
#ALL        ALL=(ALL) ALL    # WARNING! Only use this together with 'Defaults targetpw'!

2. Add a new line somewhere under the "## User privilege specification" comment describing the Domain and Group to be included when running commands through sudo.

For this step we'll be assuming that the AD Domain is named "DOMAIN1", the group is "domain admins", and that users in this AD group may run any command under any user.

2a. When using Winbind:

## User privilege specification
root ALL=(ALL) ALL
"%DOMAIN1\domain admins" ALL=(ALL) ALL

2b. When using SSSD, if DOMAIN1 is the default domain:

## User privilege specification
root ALL=(ALL) ALL
"%domain admins" ALL=(ALL) ALL

2c. When using SSSD, if DOMAIN1 is a trusted domain:

## User privilege specification
root ALL=(ALL) ALL
"%domain admins@DOMAIN1" ALL=(ALL) ALL

Additional Information

Before attempting to set up sudo to authenticate against an Active Directory Domain, make sure the SUSE Linux Enterprise system is properly configured with said AD Domain in the YaST Windows Domain Membership module.

Edit the /etc/sudoers file with caution. NEVER edit the file directly; instead, always use the visudo command to edit sudoers configuration as it will check for syntax errors which may result in a "lock out" situation.
 

Secondly, please note that these syntax recommendations are assuming several default parameters. Depending on how the client has been adjusted for an environment, the syntax needed may change. Some example parameters that can change the necessary syntax are:

For winbind in the /etc/samba/smb.conf:

winbind use default domain = yes
winbind separator = @

For sssd in the /etc/sssd/sssd.conf:

​​​​​​​use_fully_qualified_names = true
default_domain_suffix = <trusted domain>

The first winbind parameter may cause the "DOMAIN1\" to be unnecessary or to not work if it is the default domain. The second parameter would change the character used to separate the domain from the user to be different from the default "\" character to another, such as "@" in my example.

The first sssd parameter would require that the "@domain" portion be included even for the default domain. The second parameter would change which domain should not be included when providing users or groups.​​​​

​​​There could be other parameters that effect syntax behavior as well. We're unable to be completely exhaustive and have only tried to note the more common pitfalls. So note your configuration carefully! 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7018675
  • Creation Date: 28-Feb-2017
  • Modified Date:08-Jun-2022
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.