7

I have active directory sign in working on an Ubuntu 12.04 box. When the user signs in, I have a script that runs that needs sudo permission (since it modifies the samba config file). How would I specify this in my sudoers file?

The active directory user is a part of a group called domain users. I see domain users when I issue groups as the active directory user.

I've tried:

%domain+users ALL=NOPASSWD: /etc/userScripts/createSambaShare.php

This still asks me for a password and then tells me that the user is not in the sudoers file.

Is there a log I can check to see what it's doing when it asks the active directory user for their password?

Skyhawk
  • 14,200
  • 4
  • 53
  • 95
nwalke
  • 643
  • 2
  • 12
  • 32

2 Answers2

4

It looks like you are using a plus sign in lieu of the space in Domain Users. I don't see any reason why that would work.

Instead, escape the space with a backslash:

 %Domain\ Users ALL=NOPASSWD: /etc/userScripts/createSambaShare.php

If that doesn't work, try using an alias:

 User_Alias DomainUsers=%Domain\ Users
 DomainUsers ALL=NOPASSWD: /etc/userScripts/createSambaShare.php

Also, keep in mind that pretty much everything in Linux is case-sensitive, including user and group names. Is the group really showing up as domain users, or is it showing up as Domain Users? It has to match.

Skyhawk
  • 14,200
  • 4
  • 53
  • 95
3

Why don't you just set the UNIX group in /etc/sudoers and then make sure everybody is added to that group in AD?

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • You mean do something like `%Programmers ALL=NOPASSWD: /usr/local/bin/createSambaShare.php` ? – nwalke Oct 08 '12 at 18:26
  • That seems reasonable enough. – Michael Hampton Oct 08 '12 at 18:28
  • I did that. My AD user is part of the "Programmers" group in active directory. Looks like my company has it set up so that the AD Domain Services Folder for the group is `Domain.com/Staff/Security Groups`, does my group in linux then become `%DOMAIN.COM/Staff/Security+Groups/Programmers` ? – nwalke Oct 08 '12 at 19:17
  • You set up the group in UNIX Attributes, right? – Michael Hampton Oct 08 '12 at 21:51
  • I would assume not. I asked our sys admin about the unix tab for each user and he said he didn't see a unix tab, so I'll refer him to your link on my other question. – nwalke Oct 08 '12 at 21:53
  • Does the link you provided in the last question also affect 2008? – nwalke Oct 09 '12 at 01:21
  • Try clicking it. :) – Michael Hampton Oct 09 '12 at 01:24
  • Found the attributes tab, added my user to it. When I log in to the linux box with my AD user, it still asks for my password. When I do `groups` with my AD user, I do not see the group `Programmers`. – nwalke Oct 09 '12 at 20:38
  • Please see my updated question. I now have a group to work with. – nwalke Oct 17 '12 at 21:26