Results 1 to 4 of 4

Thread: Active Directory Group (refenced in the sudoers file) is Intermittent via SSH

  1. #1
    Join Date
    Nov 2023
    Beans
    2

    Question Active Directory Group (refenced in the sudoers file) is Intermittent via SSH

    Hello community!

    ENVIRONMENT
    We are operating several Ubuntu 22.04 systems. The systems are added to a Windows Active Directory Domain via the GUI as part of the initial configuration. We have an Active Directory group called "sudoers" that contains several Active Directory Users. We have modified the sudoers (/etc/sudoers) file via visudo to include the "sudoers" group from Active Directory. SSH is operating on the systems.

    Users are able to established a ssh session via their Active Directory credentials. Members of the "sudoers" Active Directory group are able to elevate commands from a ssh session. Sometimes.

    PROBLEM
    Intermittently, members of the suoders group will establish a ssh session, attempt to run an elevated command, and receive the "<username> is not in the sudoers file. This incident will be reported." message. The problem seems to happen when more than one ssh session is established by the same user. The sudoers group is not displayed if the user runs the "groups" command while in the problem state. Yet, the sudoers group is displayed if the same user runs the "groups" command from a different ssh session (while the other ssh session is still in the problem state).

    We've tried a number of configuration changes without success. Any guidance would be greatly appreciated!

    REFERENCES
    I've listed the sudoers file contents and the sssd.conf (/etc/sssd/sssd.conf) file contents for reference.
    Code:
    ## This file MUST be edited with the 'visudo' command as root.
    #
    # Please consider adding local content in /etc/sudoers.d/ instead of
    # directly modifying this file.
    #
    # See the man page for details on how to write a sudoers file.
    #
    Defaults        env_reset
    Defaults        mail_badpass
    Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
    Defaults        use_pty
    
    # This preserves proxy settings from user environments of root
    # equivalent users (group sudo)
    #Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"
    
    # This allows running arbitrary commands, but so does ALL, and it means
    # different sudoers have their choice of editor respected.
    #Defaults:%sudo env_keep += "EDITOR"
    
    # Completely harmless preservation of a user preference.
    #Defaults:%sudo env_keep += "GREP_COLOR"
    
    # While you shouldn't normally run git as root, you need to with etckeeper
    #Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"
    
    # Per-user preferences; root won't have sensible values for them.
    #Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"
    
    # "sudo scp" or "sudo rsync" should be able to use your SSH agent.
    #Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"
    
    # Ditto for GPG agent
    #Defaults:%sudo env_keep += "GPG_AGENT_INFO"
    
    # Host alias specification
    
    # User alias specification
    
    # Cmnd alias specification
    
    # User privilege specification
    root    ALL=(ALL:ALL) ALL
    
    # Members of the admin group may gain root privileges
    %admin ALL=(ALL) ALL
    
    # Allow members of group sudo to execute any command
    %sudo   ALL=(ALL:ALL) ALL
    
    # Added Manually
    %sudoers        ALL=(ALL:ALL) ALL
    
    # See sudoers(5) for more information on "@include" directives:
    
    @includedir /etc/sudoers.d
    Code:
    [sssd]
    domains = domain.local
    config_file_version = 2
    Services = nss, pam
    
    [domain/domain.local]
    default_shell = /bin/bash
    krb5_store_password_if_offline = True
    cache_credentials = True
    krb5_realm = DOMAIN.LOCAL
    realmd_tags = manages-system joined-with-adcli
    id_provider = ad
    fallback_homedir = /home/%u@%d
    ad_domain = domain.local
    use_fully_qualified_names = False
    ldap_id_mapping = True
    access_provider = ad
    
    #ldap_schema = rfc2307bis
    #ldap_group_name = cn
    #ldap_group_member = member

  2. #2
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Active Directory Group (refenced in the sudoers file) is Intermittent via SSH

    <<This is a Server Admin Question and would be dealt with better in the Server Section>>

    Why? You are a Windows Admin right? LOL I do both, so will translate this for you.

    Apply the same basic foundation concepts...

    You created a group named "sudoers" as a security group, and modified the "sudoers" file which does not affect the new "sudoers" group members, but rather members of the "sudo" group. The name you gave it is somewhat ambiguous, as it is confusingly named the same as that control configuration file... The confusion of that only starts with the name of that file, and goes from there onto other things and sections of the system:
    sudoers policies in LDAP
    sudo.conf, with it's contents and arguments: Plugin sudoers_policy sudoers.so sudoers_mode=0400 sudoers_uid=<XXXX> sudoers_gid=<gid_sudoers_file=<path> sudoers_mode=<mode>

    Your can see where using that "name" as a "name" is a potential conflict waiting to happen right?

    We usually, by rule of thumb use something descriptive like "sudousers"... Users are members of groups. You can add groups with sudo rights in the sudoers file by adding a line to /etc/sudoers similar to this:
    Code:
    %sudousers ALL=(ALL) ALL
    Just like in Windows, where you can check the inherited rights of a specific user, you check the rights of a user added to a sudo enabled security group like this:
    Code:
    mafoelffen@Mikes-B460M:/data/ISO$ sudo -l -U mafoelffen
    [sudo] password for mafoelffen: 
    Matching Defaults entries for mafoelffen on Mikes-B460M:
        env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
    
    User mafoelffen may run the following commands on Mikes-B460M:
        (ALL : ALL) ALL
    But if you the want to get down to details in what they can do, then
    Code:
    # Allow user 'fred' to remote poweroff
    fred ALL=(ALL) !ALL # deny all commands
    fred ALL=NOPASSWD: /sbin/poweroff #specific commands they can do, without having to enter a password...

    "Concurrent coexistence of Windows, Linux and UNIX..." || Ubuntu user # 33563, Linux user # 533637
    Sticky: Graphics Resolution | UbuntuForums 'system-info' Script | Posting Guidelines | Code Tags

  3. #3
    Join Date
    Nov 2023
    Beans
    2

    Re: Active Directory Group (refenced in the sudoers file) is Intermittent via SSH

    Thank you for the message.

    Per your suggestion, we may plan to rename the group to alleviate confusion.

    We did add the "sudoers" Active Directory group to the sudoers file (/etc/sudoers).

    Code:
    # Added Manually
    %sudoers ALL=(ALL:ALL) ALL
    And members of the "sudoers" Active Directory group are able to elevate commands from a ssh session. Sometimes.

    Intermittently, members of the "suoders" group will establish a ssh session, attempt to run an elevated command, and receive the "<username> is not in the sudoers file. This incident will be reported."

    When the ssh session is in the problem state, the user can establish the second ssh session, attempt to run an elevated command, and it will work. Sometimes. The problem is intermittent.

    It seems to be an Active Directory group membership problem that manifests itself when a ssh session is established. Sometimes. Additionally, the problem seems to only happen when more than one ssh session is established by the same user. We have been unable to recreate the problem state when a user establishes a single ssh session.

  4. #4
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Active Directory Group (refenced in the sudoers file) is Intermittent via SSH

    Wow. I haven't seen that being a problem in Linux, SSH and groups, with Windows AD DS out of the picture.

    Hmmm. I'm going to have to spin up my SSSD test-cases (Win Server DC controller and Ubuntu Domain members) and see if I can recreate that. You have me curious now.

    "Concurrent coexistence of Windows, Linux and UNIX..." || Ubuntu user # 33563, Linux user # 533637
    Sticky: Graphics Resolution | UbuntuForums 'system-info' Script | Posting Guidelines | Code Tags

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •