Hello community!
ENVIRONMENT
We are operating several Ubuntu 22.04 systems. The systems are added to a Windows Active Directory Domain via the GUI as part of the initial configuration. We have an Active Directory group called "sudoers" that contains several Active Directory Users. We have modified the sudoers (/etc/sudoers) file via visudo to include the "sudoers" group from Active Directory. SSH is operating on the systems.
Users are able to established a ssh session via their Active Directory credentials. Members of the "sudoers" Active Directory group are able to elevate commands from a ssh session. Sometimes.
PROBLEM
Intermittently, members of the suoders group will establish a ssh session, attempt to run an elevated command, and receive the "<username> is not in the sudoers file. This incident will be reported." message. The problem seems to happen when more than one ssh session is established by the same user. The sudoers group is not displayed if the user runs the "groups" command while in the problem state. Yet, the sudoers group is displayed if the same user runs the "groups" command from a different ssh session (while the other ssh session is still in the problem state).
We've tried a number of configuration changes without success. Any guidance would be greatly appreciated!
REFERENCES
I've listed the sudoers file contents and the sssd.conf (/etc/sssd/sssd.conf) file contents for reference.
Code:
## This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
Defaults use_pty
# This preserves proxy settings from user environments of root
# equivalent users (group sudo)
#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"
# This allows running arbitrary commands, but so does ALL, and it means
# different sudoers have their choice of editor respected.
#Defaults:%sudo env_keep += "EDITOR"
# Completely harmless preservation of a user preference.
#Defaults:%sudo env_keep += "GREP_COLOR"
# While you shouldn't normally run git as root, you need to with etckeeper
#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"
# Per-user preferences; root won't have sensible values for them.
#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"
# "sudo scp" or "sudo rsync" should be able to use your SSH agent.
#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"
# Ditto for GPG agent
#Defaults:%sudo env_keep += "GPG_AGENT_INFO"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# Added Manually
%sudoers ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "@include" directives:
@includedir /etc/sudoers.d
Code:
[sssd]
domains = domain.local
config_file_version = 2
Services = nss, pam
[domain/domain.local]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = DOMAIN.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = domain.local
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
#ldap_schema = rfc2307bis
#ldap_group_name = cn
#ldap_group_member = member