sudoers and directory groups

[sketch]

background:
I have ssh set up for kerberos, and acess to ssh restricted using SACLs and domain groups. This way support staff can use their accounts instead of a local account, and no one outside of the support group can use ssh at all.

And now the problem., I’ve added the support group to the sudoers file, however sudoers says the user is not in the sudoers file (when they are logged in via ssh)

what gives?

[sketch]

All 10.4. Some 10.4.8, some 10.4.9

[sketch]

Really? What are the differences?

And no. it doesn’t seem to matter, although it might.

just for reference, this is the line in my sudoers file that states the group:

%MacLabAdminUsers ALL=(ALL) ALL

perhaps there should be an AD\ in front of it?

[sketch]

How do I test the group lookup? I’m assuming this methodology variates from nesting the group via the AD settings in Directory Access?

[sketch]

well all of this has led to another odd issue. I figured out how to used id to check group membership of an account, and I’m NOT seeing the group I’m looking for. I’m seeing all of them BUT that group. And not just on my account, on all accounts that are members of that group.

Whisky
Tango
Foxtrot

[sketch]

Got it working. Thanks for the help. In the end the solution was quite embarrasing: typo 😳

[Author]

Posts