There is a similar question that has been answered; so, I'm not sure if I should tag on; not believing that I should, I'm proceeding.
I'm running Ubuntu 14.04 and have joined our Windows domain using PBIS (formerly likewise-open). I can get an individual user account sudo privileges, but cannot get Domain Admins the same. I've tried every variation of %DOMAIN\domain^admins I've see so far with no success.
Thanks in advance for any assistance.
This also worked for me:
%domain^admins ALL=(ALL:ALL) ALL
I assume this is because of the following commands used when setting up PBIS:
sudo /opt/pbis/bin/config UserDomainPrefix $domain
sudo /opt/pbis/bin/config AssumeDefaultDomain true
sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
sudo /opt/pbis/bin/config HomeDirTemplate %H/%U
This seems to make the domain accounts appear as local accounts to the system by assuming the domain name is before the login account. Therefore the domain name is not required by the sudoers list.
Any thoughts?
Depends on your setup sometimes...
%domain\ admins ALL=(ALL) ALL
%domain\\domain\ admins ALL=(ALL) ALL
%domain\ admins@domain.com ALL=(ALL) ALL
The last one is the one I actually had to use to get mine to work...I'm using sssd and realmd to join my domain.
Many suggestions in the past showed using domain^admins but that has never personally worked for me but according to many posts it has worked for others. Having the first word followed by a \ indicates there is a valid space and then doesn't read it as an invalid character. I hope this helps.
Here is another way of doing it, without requiring all the fancy escaping and also without guessing at the exact group name. I tested with winbind.
Figure out the group name:
$ getent group | grep -i admin
MYDOMAIN\Domain Admins:*:100006:
Add the group you see above to the sudoers file. We can use sudoers.d directory to avoid changing the main sudoers file (e.g. to avoid merge if distribution upgrade changes it).
$ visudo -f /etc/sudoers.d/DomainAdmins
# Add this line:
"%MYDOMAIN\Domain Admins" ALL=(ALL) ALL
From the sudoers(5) man page:
A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may be enclosed in double quotes to avoid the need for escaping special characters.
I have worked a lot on it, And after so many tries and searching i got this working
%domain\ admins ALL=(ALL) ALL
Since i was having DOMAIN name as two words i have to use: domain\ admins
domain admins
This was the exact group name i was having.
And % to specify group.
and without % i would think it is take as username.
I know this thread is extremely old, but thought I'd share what I had to do to get this done in Ubuntu 18.04.1.
Since absolutely none of the above entries for the sudoers file worked for me, I simply created a Security Group in Active Directory called "sudo" and added the Domain Admins to it.
Domain Admin users logging into Ubuntu then show as part of the "sudo" group in Ubuntu as well, and are able to sudo commands.
from term
sudo EDITOR=nano visudo /etc/sudoers
under line
after root line add the line below
username ALL=(ALL:ALL) ALL
or for group:
# Members of the admin group may gain root privileges
%domain\\domain^Users ALL=(ALL) ALL
I was able to make it work with the following:
%domain^admins ALL=(ALL:ALL) ALL
(i.e., remove the domain)
I know this question was posted super long ago, but I solved this by doing a
groups Mydomain\\myuser
then copying the admin group I wanted (escaping the single \ with another)
Edit or create the file
sudo nano /etc/sudoers.d/domain_admins
Add a string like this:
%domain\ admins@MyDomain.com ALL=(ALL) ALL
