8

We have multiple Linux servers that authenticate to an Active Directory Domain. For a group in AD, I want to add a list of commands that are allowed to run as root using sudo. I can obviously ssh-in to each computer and update sudoers file -but that will take some time. Also, root login is not allowed. So, password less logins will only work for non-root users.

Is there a quick way to update the sudoers file for each Linux computer at once? I am thinking of a Perl or Python script with some system administration abilities here.

Update: Thanks veroteq7 and Shane Madden. I had thought about deploying cfengine at one point- but we don't have it running currently. We have decided that using LDAP would be the best solution. I am getting an error importing the LDIF schema schema.ActiveDirectory for sudo. The error is "parameter is not correct" on line 144.

This is the content from line 144 onwards:

dn: CN=sudoRole,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: classSchema
cn: sudoRole
distinguishedName: CN=sudoRole,CN=Schema,CN=Configuration,DC=X
instanceType: 4
possSuperiors: container
possSuperiors: top
subClassOf: top
governsID: 1.3.6.1.4.1.15953.9.2.1
mayContain: sudoCommand
mayContain: sudoHost
mayContain: sudoOption
mayContain: sudoRunAs
mayContain: sudoRunAsUser
mayContain: sudoRunAsGroup
mayContain: sudoUser
rDNAttID: cn
showInAdvancedViewOnly: FALSE
adminDisplayName: sudoRole
adminDescription: Sudoer Entries
objectClassCategory: 1
lDAPDisplayName: sudoRole
name: sudoRole
schemaIDGUID:: SQn432lnZ0+ukbdh3+gN3w==
systemOnly: FALSE
objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=X
defaultObjectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=X

The command that I used is:

ldifde -i -f schema.ActiveDirectory -c dc=X dc=DOMAINNAME,dc=LOCAL

Update2: I created a new question. Thanks everybody for suggestions.

Community
  • 1
rchhe
  • 676
  • 2
  • 9
  • 19
  • You should probably post the AD Schema-modifying bit as a separate question -- I'm not really up on all the AD-specific stuff that has to be done to modify the LDAP schema & import new objects, but I know we have a lot of MS/AD gurus on here who would pick it up under the [tag:active-directory] & [tag:ldap] tags – voretaq7 Dec 12 '11 at 21:17

5 Answers5

17

Why not scrap /etc/sudoers and use AD (LDAP) as your sudoers store? -- More info here.

You're already authenticating against AD, so this is just the next logical step, and gives you a convenient, centralized place to handle authentication and authorization.

voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • For as long as I can remember, we've just done AD/Linux/winbind/PAM and added AD groups to `sudoers` -- I do not know how I've never found this. A much deserved +1. – jscott Dec 12 '11 at 21:22
  • @jscott The big downside is a lot of sudo packages don't have LDAP compiled in so you may have to roll your own. I build sudo from FreeBSD ports, and we already have LDAP dependencies for pam_ldap, so it's no extra headache for me :-) – voretaq7 Dec 12 '11 at 22:20
15

How about a configuration management tool? Puppet, Chef, CFEngine, etc?

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
3

You can define groups in sudoers... and pull those groups from a central authentication repository... like Active Directory. I love putting domain admins in my sudoers file. Saves a lot of headaches.

TheCompWiz
  • 7,409
  • 17
  • 23
2

If you're searching for an API to modify your sudoers file, you can use Augeas with the Sudoers lens. It integrates nicely with Puppet, but you could also use it in a script of yours (there's many bindings).

See this answer for example.

Community
  • 1
raphink
  • 11,987
  • 6
  • 37
  • 48
0

Hmm!! its a pain. the other way you can do it with cssh command which will allow you to open multiple windows at a time. if you type something on the tiny window (white blank window), you would notice your typring is propagating through all windows. i would recommand to take a backup of your suoders file and use visudo command to update sudoers. if anyhting sudoer file dont like, visudo will tell you to correct the file.

Cheers

snc805
  • 1