Realm AD Group Sudo Access

1 minute read

Description:

So with SSSD on RHEL boxes, one thing we want to do is use Active Directory groups on linux machines. This is how you can do this:

NOTE: For this to work, users in AD must have a ‘uidNumber’ and a ‘gidNumber’ assigned. These can be viewed on ‘Attributes’ tab in the AD User object and the AD Group Object which only has a ‘gidNumber’.

To Resolve:

  1. Create ad group

  2. Assign gidnumber to the group

    $group = mygroup
    # Set a new GID value 
       
    $properties = @{ 
       'LDAPFilter' = "(&(objectCategory=group)(gidNumber=*))" 
       'SearchBase' = 'OU=blah,DC=domain,DC=com' 
       'Properties' = 'gidNumber' 
    } 
    $groups = Get-ADObject @Properties| Select-Object @{Name = "DN"; Expression = {$_.DistinguishedName}}, @{Name = "gid"; Expression = {$_.gidNumber}} 
    $lastgid = ($groups | Sort-Object -Property gid | select -Last 1).gid 
    $newVal = $lastgid + 1 
       
    If ($newVal.tostring().length -eq 10) 
    {  
       Write-Output "New gid Number: $newval" 
    } 
    Else  
    { 
       "unable to find a value for new gid" 
    } 
    Get-ADGroup $group | Set-ADGroup -Add @{ gidNumber = $newval }
    
  3. Edit /etc/sudoers to allow them under wheel

    # Uncommment to allow people in group wheel to run all commands  
    # %wheel ALL=(ALL) ALL  
    %test-group ALL=(ALL) ALL
    
  4. Add user to that group in ad

  5. Upon removing user from group, they will not have sudo access.

  6. Any time you make a change to group membership in AD for linux servers, you must run sss_cache -E; service sssd stop ; rm -rf /var/lib/sss/db/* ; service sssd start on the servers you want the users to access for it to take effect.

Categories: ,

Updated: