Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2988: Group sudoers file syntax not working after update to sudo v1.8

Centrify DirectControl ,  

12 April,16 at 11:31 AM

Applies to: All versions of Centrify DirectControl on RedHat/Centos 6.4. & Sudo v1.8. (note: Redhat 6.4 has moved from using Sudo v1.7 to v1.8)

Problem: 
 
The following sudo lines do not work, despite the group being listed in both parameters (auto.schema.groups and auto.schema.allow.groups) in /etc/centrifydc/centrifydc.conf

The sudo version is 1.8

In the following example, "security admins" is the test group. Notice the space in the group name. Normally, the spaces are escaped with backslashes. The domain could also be specified previously.

%domain\\security\ admins ALL=(ALL) ALL

Or:

%domain\\security_admins ALL=(ALL) ALL

Both of the above should fail if a user in security admins tries to sudo to root.

Workaround: 
 
Use underscores instead of spaces, additionally the feature for specifying a domain has been depreciated. 
 
The following example will work:

%security_admins ALL=(ALL) ALL
 
Resolution:
 
None. This is how sudoers works in v1.8.
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-3925: How to add Centrify parameter to a group policy articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6041: How to show current license type in use by adclient? articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-1845: Error message "visudo Failed, will not change /etc/sudoers" articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-0747: sudoers group policy does not work when sudo package is installed in a non-std location articleKB-4878: Configuring sudo to work with smart cards on OS X