Having users su/sudo in Linux based on Active Directory group when using pam_winbind

linux sudo active-directory su opensuse

I'm using openSUSE 11.4 which has Active Directory configuration built-in to Yast (which does all the pam_winbind, Kerberos, nss, Samba-client stuff for you) and I can successfully authenticate against my AD domain.

I created an AD group called LinuxAdmins and I'd like to have a way for people in that group to either be able to su on certain Linux servers without the root password or sudo on those machines using their own passwords.

The way openSUSE configures AD, it sets the username with the domain prefixed. So my username would be MYDOMAN\djsumdog. If I try adding either of the following lines to the sudoers file, I still can't sudo with my user. I keep getting "MYDOMAIN\djsumdog is not in the sudoers file. This incident will be reported." I've tried both single and double slashes for the user and group names.

%MYDOMAIN\LinuxAdmins ALL=(ALL) ALL
MYDOMAIN\djsumdog ALL=(ALL) ALL

I know on my Gentoo box, the following line in /etc/pam.d/su allows users in the wheel group to su without a password:

auth       sufficient   pam_wheel.so use_uid trust

But this doesn't seem to work in openSUSE (even with local users), much less AD users. I tried using the pam_winbind.so module as well:

#%PAM-1.0
auth     sufficient     pam_rootok.so
auth     include        common-auth
auth     sufficient     pam_winbind.so require_membership_of=MYDOMAIN\\LinuxAdmins
account  sufficient     pam_rootok.so
account  include        common-account
password include        common-password
session  include        common-session
session  optional       pam_xauth.so

But I don't think that will work as the require_membership_of parameter seems to be for the primary authentication against the entire machine.

I know sudo with the user's password is more secure, but I would happy if I could get either su or sudo working by validating the user against his or her AD group.


Solution 1:

Per Hadyman5's comment, I ran the following:

 id MYDOMAIN\\djsumdog

...and saw that my group was actually MYDOMAIN\linuxadmins, all lower case. I then added the following to my sudo configuration:

%MYDOMAIN\\linuxadmins ALL=(ALL) ALL

And sudo works fine now with the users in that group.

Related

Why does the .NET Folder.CopyHere Method not allow dialog suppression for .ZIP files when run within a SQL Server Agent PowerShell job step?
What exactly does SuPHP do?
Traceroute hits destination on fourth hop, then does 15 more
SL6: Non-standard home directories, Error: `Could not chdir to home directory` upon login, but `cd $HOME` works?
How does ping work when a host name has multiple ip addresses?
How to keep the Amazon EBS Backed AMI persistent?
Setting up sub-domains with 123-reg.co.uk
Off site laptop usage policy enforcement, what are the trends and applications available?
How to change back /etc/sudoers file right to 0440?
Amazon EC2 gui access?
Duplicating an ESXi host to another ESXi host as a backup solution
Squid 403's every request as an HTTP proxy