Realm AD Group Sudo Access

1 minute read

Description:

So with SSSD on RHEL boxes, one thing we want to do is use Active Directory groups on linux machines. This is how you can do this:

NOTE: For this to work, users in AD must have a ‘uidNumber’ and a ‘gidNumber’ assigned. These can be viewed on ‘Attributes’ tab in the AD User object and the AD Group Object which only has a ‘gidNumber’.

To Resolve:

  1. Create ad group

  2. Assign gidnumber to the group

$group = mygroup
# Set a new GID value 
 
$properties = @{ 
    'LDAPFilter' = "(&(objectCategory=group)(gidNumber=*))" 
    'SearchBase' = 'OU=blah,DC=domain,DC=com' 
    'Properties' = 'gidNumber' 
} 
$groups = Get-ADObject @Properties| Select-Object @{Name = "DN"; Expression = {$_.DistinguishedName}}, @{Name = "gid"; Expression = {$_.gidNumber}} 
$lastgid = ($groups | Sort-Object -Property gid | select -Last 1).gid 
$newVal = $lastgid + 1 
 
If ($newVal.tostring().length -eq 10) 
{  
    Write-Output "New gid Number: $newval" 
} 
Else  
{ 
    "unable to find a value for new gid" 
} 
Get-ADGroup $group | Set-ADGroup -Add @{ gidNumber = $newval }
  1. Edit /etc/sudoers to allow them under wheel

# Uncommment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
%test-group ALL=(ALL) ALL

  1. Add user to that group in ad

  2. Upon removing user from group, they will not have sudo access.

NOTE:

Any time you make a change to group membership in AD for linux servers, you must run sss_cache -E; service sssd stop ; rm -rf /var/lib/sss/db/* ; service sssd start on the servers you want the users to access for it to take effect.

 

Categories: ,

Updated: