Help with adding an AD group to sudoers file on Ubuntu server 22.04 joined to AD

[fandreani]

Hello everyone,on my Ubuntu Server 22.04 joined to my AD server via SSSD I'm unable to add an Active Directory group to the sudo group. In the sudoers file, I added the group to the /etc/sudoers file and it looks like this:


#Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
%digital-tech-staff-sambaserver-L3-test-Admin-L@mydomain-name.it ALL=(ALL) ALL


Users can connect correctly via SSH, but when they run the "sudo su" command, the ubuntu server responds with "username@domain.it is not in the sudoers file. This incident will be reported."


To temporarily solve the issue, I manually added EACH member of the AD group with the command "sudo usermod -aG sudo username." Fortunately, the group was small, but I will have the problem with groups with many more members.
Can someone please give me some ideas on how to solve this? Thanks in advance.

[MAFoElffen]

Please post raw format and commands within Code Tags. I edited the quote so it is easier to read there. Look at what I highlighted in red...

Code:

#Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL 
%digital-tech-staff-sambaserver-L3-test-Admin-L@mydomain-name.it ALL=(ALL) ALL

Do not specify the domain name after group name. Just the group name, like this:

Code:

%digital-tech-staff-sambaserver-L3-test-Admin-L ALL=(ALL) ALL

That's a Windows thing that doesn't cross-over to Linux. Linux see's all that text as literal, and says, that (whole text) is not the "group name" I see...

[fandreani]

Hi, thank you for the reply, I tried your solution but I get the same result (user@domain.it is not in sudoers)

[MAFoElffen]

Please post the results of these, posting the output within CODE Tags:

Code:

sudo grep -v -e '#\|^$' /etc/sudoers
sudo grep -v -e '#\|^$' /etc/sudoers.d/*

And had you rebooted the server since the edit do that the edit could apply in the current environment?

[fandreani]

Hi,thanks again for the reply, here the results from the commands
Results for sudo grep -v -e '#\|^$' /etc/sudoers

Code:

fandreani@domain.it@sambaserver-l3-test:~$ sudo grep -v -e '#\|^$' /etc/sudoersDefaults    env_reset
Defaults    mail_badpass
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
Defaults    use_pty
root    ALL=(ALL:ALL) ALL
%admin ALL=(ALL) ALL
%IT-Tech-Staff-Linux-Servers-L    ALL=(ALL)   ALL
%sudo    ALL=(ALL:ALL) ALL
%digital-tech-staff-sambaserver-L3-test-Admin-L   ALL=(ALL)    ALL
%IT-Tech-Staff-A-G    ALL=(ALL)   ALL
@includedir /etc/sudoers.d

the other command sudo grep -v -e '#\|^$' /etc/sudoers.d/* , displays nothing and yes I have rebooted the server

[MAFoElffen]

Code:

%IT-Tech-Staff-Linux-Servers-L    ALL=(ALL)   ALL
%digital-tech-staff-sambaserver-L3-test-Admin-L   ALL=(ALL)    ALL
%IT-Tech-Staff-A-G    ALL=(ALL)   ALL

Lets see how those groups show up as(?)

Code:

getent group | grep -E 'IT-Tech-Staff-Linux-Servers-L|digital-tech-staff-sambaserver-L3-test-Admin-L|IT-Tech-Staff-A-G'

Then modify from that output...

[ActionParsnip]

If you run:

Code:

visudo -c

Does the file check as OK? If you also run:

Code:

id foo

(Change 'foo' for the actual username here). Do you see the names and IDs from you domain

[fandreani]

Lets see how those groups show up as(?)

Code:

getent group | grep -E 'IT-Tech-Staff-Linux-Servers-L|digital-tech-staff-sambaserver-L3-test-Admin-L|IT-Tech-Staff-A-G'

Then modify from that output...

Hi, I tried but this command shows nothing in the output

EDIT: I noticed that any user in our domain from others AD groups not specified in the sudoers file can authenticate via SSH but cannot execute commands because they are not listed in the sudoers file.
Could there be something else we're overlooking?

[fandreani]

Hi, here the result for #visudo -c

Code:

fandreani@domain.it@sambaserver-l3-test:~$ sudo visudo -c/etc/sudoers: parsed OK
/etc/sudoers.d/README: parsed OK

and here the result of command #id fandreania@domain.it ,which is a member of the AD group %IT-Tech-Staff-Linux-Servers-L

Code:

fandreani@domain.it@sambaserver-l3-test:~$ id fandreania@domain.it

uid=952401222(fandreania@domain.it) gid=952400513(s-1-5-21-2495866372-2476539352-2360203011-513@domain.it) groups=952400513(s-1-5-21-2495866372-2476539352-2360203011-513@domain.it),952400572(s-1-5-21-2495866372-2476539352-2360203011-572@domain.it),952401374(s-1-5-21-2495866372-2476539352-2360203011-1374@domain.it),952401194(s-1-5-21-2495866372-2476539352-2360203011-1194@domain.it),952401193(s-1-5-21-2495866372-2476539352-2360203011-1193@domain.it),952401214(s-1-5-21-2495866372-2476539352-2360203011-1214@domain.it),952401156(s-1-5-21-2495866372-2476539352-2360203011-1156@domain.it),952403109(s-1-5-21-2495866372-2476539352-2360203011-3109@domain.it),952400512(s-1-5-21-2495866372-2476539352-2360203011-512@domain.it),952401179(s-1-5-21-2495866372-2476539352-2360203011-1179@domain.it),952401579(s-1-5-21-2495866372-2476539352-2360203011-1579@domain.it),952401524(s-1-5-21-2495866372-2476539352-2360203011-1524@domain.it)

I'm a bit confused from this output, I didn't think there were numbers but rather names of the groups from AD.

[MAFoElffen]

I have a few things to try (one at a time.):

Code:

%SMB\\digital-tech-staff-sambaserver-L3-test-Admin-L ALL=(ALL) ALL
%digital-tech-staff-sambaserver-L3-test-Admin-L@DOMAIN.IT ALL=(ALL) ALL
%DOMAIN.IT\\digital-tech-staff-sambaserver-L3-test-Admin-L ALL=(ALL:ALL) ALL