How to add Domain Admins to sudoers

Solution 1:

This also worked for me:

%domain^admins ALL=(ALL:ALL) ALL

I assume this is because of the following commands used when setting up PBIS:

sudo /opt/pbis/bin/config UserDomainPrefix $domain
sudo /opt/pbis/bin/config AssumeDefaultDomain true
sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
sudo /opt/pbis/bin/config HomeDirTemplate %H/%U

This seems to make the domain accounts appear as local accounts to the system by assuming the domain name is before the login account. Therefore the domain name is not required by the sudoers list.

Any thoughts?

Solution 2:

Here is another way of doing it, without requiring all the fancy escaping and also without guessing at the exact group name. I tested with winbind.

  1. Figure out the group name:

    $ getent group | grep -i admin
    MYDOMAIN\Domain Admins:*:100006:
    
  2. Add the group you see above to the sudoers file. We can use sudoers.d directory to avoid changing the main sudoers file (e.g. to avoid merge if distribution upgrade changes it).

    $ visudo -f /etc/sudoers.d/DomainAdmins
    # Add this line:
    "%MYDOMAIN\Domain Admins" ALL=(ALL) ALL
    

From the sudoers(5) man page:

A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may be enclosed in double quotes to avoid the need for escaping special characters.

Solution 3:

Depends on your setup sometimes...

%domain\ admins ALL=(ALL) ALL

%domain\\domain\ admins ALL=(ALL) ALL

%domain\ [email protected] ALL=(ALL) ALL

The last one is the one I actually had to use to get mine to work...I'm using sssd and realmd to join my domain.

Many suggestions in the past showed using domain^admins but that has never personally worked for me but according to many posts it has worked for others. Having the first word followed by a \ indicates there is a valid space and then doesn't read it as an invalid character. I hope this helps.