How to add Domain Admins to sudoers
There is a similar question that has been answered; so, I'm not sure if I should tag on; not believing that I should, I'm proceeding.
I'm running Ubuntu 14.04 and have joined our Windows domain using PBIS (formerly likewise-open). I can get an individual user account sudo privileges, but cannot get Domain Admins the same. I've tried every variation of %DOMAIN\domain^admins I've see so far with no success.
Thanks in advance for any assistance.
28 Answers
This also worked for me:
%domain^admins ALL=(ALL:ALL) ALLI assume this is because of the following commands used when setting up PBIS:
sudo /opt/pbis/bin/config UserDomainPrefix $domain
sudo /opt/pbis/bin/config AssumeDefaultDomain true
sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
sudo /opt/pbis/bin/config HomeDirTemplate %H/%UThis seems to make the domain accounts appear as local accounts to the system by assuming the domain name is before the login account. Therefore the domain name is not required by the sudoers list.
Any thoughts?
Here is another way of doing it, without requiring all the fancy escaping and also without guessing at the exact group name. I tested with winbind.
Figure out the group name:
$ getent group | grep -i admin MYDOMAIN\Domain Admins:*:100006:Add the group you see above to the sudoers file. We can use
sudoers.ddirectory to avoid changing the main sudoers file (e.g. to avoid merge if distribution upgrade changes it).$ visudo -f /etc/sudoers.d/DomainAdmins # Add this line: "%MYDOMAIN\Domain Admins" ALL=(ALL) ALL
From the sudoers(5) man page:
A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may be enclosed in double quotes to avoid the need for escaping special characters.
Depends on your setup sometimes...
%domain\ admins ALL=(ALL) ALL
%domain\\domain\ admins ALL=(ALL) ALL
%domain\ ALL=(ALL) ALLThe last one is the one I actually had to use to get mine to work...I'm using sssd and realmd to join my domain.
Many suggestions in the past showed using domain^admins but that has never personally worked for me but according to many posts it has worked for others. Having the first word followed by a \ indicates there is a valid space and then doesn't read it as an invalid character. I hope this helps.
I was able to make it work with the following:
%domain^admins ALL=(ALL:ALL) ALL(i.e., remove the domain)
from term
sudo EDITOR=nano visudo /etc/sudoersunder line
after root line add the line below
username ALL=(ALL:ALL) ALLor for group:
# Members of the admin group may gain root privileges
%domain\\domain^Users ALL=(ALL) ALLI know this question was posted super long ago, but I solved this by doing a
groups Mydomain\\myuserthen copying the admin group I wanted (escaping the single \ with another)
I know this thread is extremely old, but thought I'd share what I had to do to get this done in Ubuntu 18.04.1.
Since absolutely none of the above entries for the sudoers file worked for me, I simply created a Security Group in Active Directory called "sudo" and added the Domain Admins to it.
Domain Admin users logging into Ubuntu then show as part of the "sudo" group in Ubuntu as well, and are able to sudo commands.
I have worked a lot on it, And after so many tries and searching i got this working
%domain\ admins ALL=(ALL) ALLSince i was having DOMAIN name as two words i have to use: domain\ admins
domain adminsThis was the exact group name i was having.
And % to specify group.
and without % i would think it is take as username.
