Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Unable to Add Active Directory User as root after logon

  1. #1
    Join Date
    Sep 2018
    Location
    Boston, MA
    Posts
    17

    Post Unable to Add Active Directory User as root after logon

    Hi all,
    If anyone can assist with this, that would be appreciated. I have a AD-joined OpenSUSE server, running the latest version, and we were able to join it to AD via the windows domain membership module (user logon management doesn't seem to exist contrary to what documentation would have one reading it believe, though that might have been just us, for it's been at least six years since I've touched OpenSUSE). and when logging in, you can login, but that's it. The groups don't show up under the user and group management module of YaST. Basically, any AD user that can login, can't do anything once they get inside, even if they have permissions in AD itself. Not sure what we're missing (we were able to get root access using the normal (non YaST method of editing the config files directly, but we would rather be able to employ the simplicity that YaST provides, if possible.) So, two questions. How does one add a user to groups properly so that only the needed members have root access, and we don't have to edit the config files manually to get root, and two, why aren't we able to do anything under the user and group management module with any of the AD groups that already exist? To make things even more detailed, the Active Directory environment is running Windows Server 2016.

    Thanks,
    -KAT

  2. #2
    Join Date
    Sep 2012
    Posts
    7,853

    Default Re: Unable to Add Active Directory User as root after logon

    Quote Originally Posted by Cambridgeport90 View Post
    How does one add a user to groups properly so that only the needed members have root access
    There is only one root user. No other user has "root access", no matter what authentication backend is used.

  3. #3
    Join Date
    Sep 2018
    Location
    Boston, MA
    Posts
    17

    Post Re: Unable to Add Active Directory User as root after logon

    So, the root user can't be one from one of the AD groups? Also, we have discovered that sudo -i doesn't work when logged in under this AD user, either.

  4. #4
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    30,927

    Default Re: Unable to Add Active Directory User as root after logon

    Are you sure you know what the "root user" is?

    It is not so much a user with username "root", but the user with UID "0".

    And I assume it is better to have that only defines in your /etc/passwd. To more bells and whistles connected to it, the more problems you will have when your system breaks down and you have to login as root from e.g. runlevel 1 to repair it.
    Henk van Velden

  5. #5
    Join Date
    Sep 2018
    Location
    Boston, MA
    Posts
    17

    Default Re: Unable to Add Active Directory User as root after logon

    I definitely know what the root user is. I think I misspoke, perhaps (posting this on behalf of another administrator in my group who wants to use his AD account with root privileges.) If it's better just to Sudo everything, then I'll let him know (I found the SUSE documentation on that and sent it to him). Basically, wants to know how being an admin in AD on some of our Windows machines will translate simply into the Linux machines he wants to manage. The question is two-fold, as well, for the other issue we ran into is pertaining to the user and group management module; upon going in there, after the machine was AD joined via the Windows Domain Membership module, none of the groups show up for management in users and groups.

  6. #6
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    30,927

    Default Re: Unable to Add Active Directory User as root after logon

    Quote Originally Posted by Cambridgeport90 View Post
    If it's better just to Sudo everything,
    I never use sudo (I assume you mean that). But I am aware of the "sudo desease". It is well spread. I normally use (in KDE) the Terminal - Super User Mode, which uses
    Code:
    su -
    Then I can do as root what I have to do and exit afterwards.
    Last edited by hcvv; 10-Nov-2020 at 09:56.
    Henk van Velden

  7. #7
    Join Date
    Sep 2018
    Location
    Boston, MA
    Posts
    17

    Default Re: Unable to Add Active Directory User as root after logon

    If it helps, this server is in text mode only, and has no graphical components. Not sure if that changes anything. I definitely understand what you're saying here ... Both myself and him are relatively new to OpenSUSE (he's used to CentOS and that kind of AD join), and I'm just starting, so, both of us are trying to figure out the best way to administer a SUSE-based server. YaST is quite nice, but I think we're too new to it in order to properly judge it. I think what might help here is some extra information on how SUSE handles AD joins; how groups translate and what not ... so, how to specify say, members of the domain admins group to be administrators of the particular SUSE server (seems more manual than Windows does it where all members of that group have a blanket set of permissions), and so on. I looked through chapter 7 of the security guide, and it's not clear how groups translate. Because if we can do this without root, then, better for us and for everyone involved. Is there an automated YaST-based way of managing this?
    In addition, this still doesn't answer the question as to why none of the AD groups are showing up in the user and group management module (if the two of them have anything to do with one another at all). I'm assuming it's because of how management of AD groups are handled? I hope this clarifies things a bit. I wish I had more experience with CentOS so that I can explain how things are set up there in our environment. I will get some more information for comparison if needed, though.

  8. #8
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    30,927

    Default Re: Unable to Add Active Directory User as root after logon

    I do not use Active Directory, so do not await much from me. About Windows I do know almost nothing, thus compairing something with how it is done there does not work with me.

    I assume your last paragraph shops the real question you now have. But the thread title does not cover this. To draw the attention of those who know how those AD users and groups are to be handled, it maybe better to start a new thread where the title tells this in a few keywords.

    About YaST, it is certainly a major incentive that comes with openSUSE. It does have a ncurses interface, thus there is no need for a GUI to work with it. YaST certainly covers most of the important system management tasks you will encounter. But a fall back to good old basic commands might be needed. After all, when a system management tool would cover all possibilities of all areas it would most probable grow out of proportions and it's screens would become ununderstandably cluttered for most of the audience.
    Henk van Velden

  9. #9
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,226

    Default Re: Unable to Add Active Directory User as root after logon

    If you want to have "Windows Admins" with superuser permissions on your Linux system, you could allow domain users to execute sudo commands without password - this will require some changes to /etc/sudoers.

    Mainly, you'll want to remove targetpw by commenting it out so it won't ask for root password and enable domain admins to execute any command with root permissions, for example if you add to sudoers (after commenting targetpw):
    Code:
    # Domain Admins
    %domain\ admins ALL=(ALL) ALL
    This would allow any user in the Windows AD group Domain Admins to execute commands with sudo without a password (of course it requires for them to login to the system first with their AD password).
    .: miuku @ #opensuse @ irc.libera.chat

  10. #10
    Join Date
    Sep 2018
    Location
    Boston, MA
    Posts
    17

    Default Re: Unable to Add Active Directory User as root after logon

    Thanks ... I think I will start another one; the lack of being able to see those groups is bothering me. LOL. But at least I think we know what to do, now.

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •