Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Unable to Add Active Directory User as root after logon

  1. #11
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    28,050

    Default Re: Unable to Add Active Directory User as root after logon

    Quote Originally Posted by Miuku View Post
    If you want to have "Windows Admins" with superuser permissions on your Linux system, you could allow domain users to execute sudo commands without password - this will require some changes to /etc/sudoers.

    Mainly, you'll want to remove targetpw by commenting it out so it won't ask for root password and enable domain admins to execute any command with root permissions, for example if you add to sudoers (after commenting targetpw):
    Code:
    # Domain Admins
    %domain\ admins ALL=(ALL) ALL
    This would allow any user in the Windows AD group Domain Admins to execute commands with sudo without a password (of course it requires for them to login to the system first with their AD password).
    To me this sounds like publishing the root password on a billboard above the entrance of your company
    Henk van Velden

  2. #12
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,108

    Default Re: Unable to Add Active Directory User as root after logon

    Quote Originally Posted by hcvv View Post
    To me this sounds like publishing the root password on a billboard above the entrance of your company
    It still requires you to have Domain Admin permissions on Active Directory which means your entire corporate network security has been compromised already :-)

    That being said, to the Op: you can check what groups your logged in user is part of in AD with;
    Code:
    wbinfo -g
    and you can manipulate things in AD with
    Code:
    net
    command from the terminal. For example;
    Code:
    net ads group
    lists all groups etc.

    This is all with the assumption that you are running with Winbind, if you use SSSD it's a bit different.
    .: miuku #suse @ irc.freenode.net

  3. #13
    Join Date
    Sep 2018
    Location
    Boston, MA
    Posts
    17

    Default Re: Unable to Add Active Directory User as root after logon

    Upon further discussion with my associate, ,I have discovered that the actual issue lies with listing groups in sudoers. Regardless of how the list in the file is formatted, it doesn't recognize that there are any groups in there; we've tried with caps,without,camelCase, and still nothing works. We're trying to add a group to sudoers called Som-MASiteAdmin. not sure what we're doing here to make things not work

  4. #14
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,206
    Blog Entries
    2

    Default Re: Unable to Add Active Directory User as root after logon

    Quote Originally Posted by hcvv View Post
    I never use sudo (I assume you mean that). But I am aware of the "sudo desease". It is well spread. I normally use (in KDE) the Terminal - Super User Mode, which uses
    Code:
    su -
    Then I can do as root what I have to do and exit afterwards.
    I'd caution that IMO this is one of those cases where "su -" is not desired... You'd probably want "su" which doesn't relogin as the new user (root in this case).

    when an Administrator logs in remotely to a machine to do administrative work, usually the only need is to have elevated permissions and couldn't care less about a root home directory or any other user-specific environment variables. And, you really don't want to be re-located to a different location in the file directory, you want to be exactly where you are, and more often than not in the file tree of a specific User on the system.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  5. #15
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,206
    Blog Entries
    2

    Default Re: Unable to Add Active Directory User as root after logon

    Quote Originally Posted by Cambridgeport90 View Post
    So, the root user can't be one from one of the AD groups? Also, we have discovered that sudo -i doesn't work when logged in under this AD user, either.
    As I tried to emphasize in the other related Forum thread,
    Windows User security is a different design than *NIX.
    There are some similarities (like root and the MSWindows 500 account) but there are also differences... Any of the various Administrator accounts you find in Windows won't be found in 8NIX.

    I'd also caution that sudo may not do what you want...
    Sudo doesn't truly "change user" to have full capabilities of the new user (su and su - does this), sudo merely allows a user to impersonate another account temporarily. The difference here is that impersonation means that you are still your original account but gains some new capabilities for a period of time. Some functions will notice this difference and refuse to allow any impersonated account to do some things.

    A common example that comes to mind is if you try to administer a RDBMS app like PostgreSQL or MySQL... If you sudo, you'll probably be rejected. You'll need to "su" to manage those database apps.

    My suggestions...
    Primary is to identify, define and declare your objectives.
    Active Directory integration with Linux means many things to different people because AD is LDAP extended in so many ways to support a full spectrum of network management far beyond what LDAP by itself does, and is why Active Directory is so popular... The ability to manage your entire network with zero touch.

    But, all that functionality to support Windows networks is not always what Admins want or need on Linux boxes... They're often perfectly happy if Users on their Linux boxes can logon with their Domain User Account and access network resources, primarily Windows Network Shares... and that's it. YaST supports this out of the box.

    But,
    You might be interested in more.
    If you're a decent sized Windows shop, you're likely using your Active Directory to maintain your Windows hosts... provisioning machines, ensuring and tracking and maybe even withholding updates. You may be installing apps remotely on machines, debugging problems, tracking resource usage and more.

    And, maybe you're interested in doing the same on your Linux hosts.
    You should know that this level of granular management of managing Linux hosts using Active Directory isn't usually possible with a single all-encompassing solution but there are Enterprise solutions and some apps that will do some of these things.

    Centrify is a commercial solution that extends AD to support doing quite a bit of Linux hosts management. There were some public source projects a few years ago but don't know what may have happened to them, it's not something I kept up on. There is also solution called "Jump Cloud" that integrates heterogenous OS devices into a common directory services.

    Puppet and Chef are popular Enterprise device provisioning apps that are cross platform provisioning solutions. Saltstack is another popular solution in this space. To a certain degree they can support some health metrics but probably shouldn't be considered maintenance and monitoring apps.

    Since you say you are deployed on virtualization, you can investigate what is available for that technology. In general, AFAIK Hyper-V has cut back practically to nothing assuming that 3rd party apps might pick up the slack, which is a different direction other apps like VMware went. Virtualization usually provides some API or method(s) to have direct access to what is running in a virtual machine.

    HTH,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  6. #16
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    28,050

    Default Re: Unable to Add Active Directory User as root after logon

    Quote Originally Posted by tsu2 View Post
    I'd caution that IMO this is one of those cases where "su -" is not desired... You'd probably want "su" which doesn't relogin as the new user (root in this case).

    when an Administrator logs in remotely to a machine to do administrative work, usually the only need is to have elevated permissions and couldn't care less about a root home directory or any other user-specific environment variables. And, you really don't want to be re-located to a different location in the file directory, you want to be exactly where you are, and more often than not in the file tree of a specific User on the system.

    TSU
    I think you know I differ here from your opinion very much. Already for ages (from before even Linux existed) it is seen as a great security risk to run processes as root (that is what you call "elevated permissions" if I understand that expression correct) with the process environment of any other user. Alone the fact that a PATH can lead to executing a different program then was intended is hairraising enough.
    Henk van Velden

  7. #17
    Join Date
    Sep 2012
    Posts
    6,251

    Default Re: Unable to Add Active Directory User as root after logon

    Quote Originally Posted by hcvv View Post
    Already for ages (from before even Linux existed) it is seen as a great security risk to run processes as root (that is what you call "elevated permissions" if I understand that expression correct) with the process environment of any other user.
    So giving user carte blanche to do anything as root without any trace or audit log is better than restricting user to perform well defined actions where every such action is logged? We have very different definition of "security" indeed.
    Alone the fact that a PATH can lead to executing a different program then was intended is hairraising enough.
    If you configure sudo to depend on path it is your fault, not sudo.

  8. #18
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    28,050

    Default Re: Unable to Add Active Directory User as root after logon

    Quote Originally Posted by arvidjaar View Post
    So giving user carte blanche to do anything as root without any trace or audit log is better than restricting user to perform well defined actions where every such action is logged? We have very different definition of "security" indeed.


    If you configure sudo to depend on path it is your fault, not sudo.
    Sorry, I did NOT discuss sudo with @tsu2, I discussed su vs. su -.
    Henk van Velden

Page 2 of 2 FirstFirst 12

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •