domain user GUI privileges for specific applications

Hi all,

I have a linux box with Leap 15.2 installed.
It is joined in a Active directory domain.

I want one specific domain user to be able to get privileges to launch Yast or other programs from GUI. I setup sudo no problem from terminal to use sudo commands with the user password ( disabled targetpw )

Everything is working fine, except I cannot gain privileges in the GUI , if I launch Yast ( for example ) , the OS is asking for root password and I don’t want this. I have an ubuntu setup joined with sssd configured and in that case adding the domain user to the adm and sudo group was enough to get all working. Is there a way to have the same results in opensuse ?

Best Regards,

Simo

No one? I think I will have to dismiss opensuse in our organization for this issue that is a shame
Best Regards.
Simo

It was not clear what you were looking for.

However, on re-reading, I think I am seeing what you want.

Apparently, you do have “sudo” setup for this. But the default configuration of “sudo” does not pass through the environment settings that are related to the GUI. You can change that.

I normally don’t use “sudo”, but I have set it to pass through the GUI variables. Here are my changes:


diff -u -r1.1 sudoers
--- sudoers     2021/06/23 13:00:52     1.1
+++ sudoers     2021/06/23 13:07:18
@@ -40,7 +40,7 @@
 Defaults env_reset
 ## Change env_reset to !env_reset in previous line to keep all environment variables
 ## Following list will no longer be necessary after this change
-Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE DISPLAY XAUTHORITY SSH_AUTH_SOCK DESKTOP_SESSION XDG_SESSION_DESKTOP XDG_CURRENT_DESKTOP XDG_SESSION_TYPE"
 ## Comment out the preceding line and uncomment the following one if you need
 ## to use special input methods. This may allow users to compromise the root
 ## account if they are allowed to run commands without authentication.

That’s for file “/etc/sudoers”. There is one changed line. The version that begins with “-” is the original, and the version that begins with “+” is the changed version that I am using.

Those are variable names that I added to the list to be passed through. The added variables begin with “DISPLAY XAUTHORITY …”

You might not need “SSH_AUTH_SOCK”, which is not related to the GUI. All of the other changes are GUI related variables.

The actual output is from “diff -u”, comparing the old and new versions of the file.