Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-30718: Active Directory User Does Not Get sudo Privileges From Local Group Membership

Authentication Service ,  

29 March,20 at 03:39 PM

Problem:  
   
An AD (Active Directory) user that belongs to a group that is defined in /etc/group, is not allowed to perform a sudo command, even when the local group is given the permissions in the sudoers file. The error seen is: "Sorry, user <username> may not run sudo on <machinename>."

For example:

AD user is: bugs
Local group in /etc/group is: cfy-mqm
  
User-added image
  
  
/etc/sudoers contains an assigned right for group cfy-mqm:
  
User-added image
  

An error appears when bugs runs the command sudo -l
  
User-added image

 
Cause:
  
This issue is due to the AIX implementation of LAM (Loadable Authentication Module) and IBM's adaptation of sudo. LAM is not only for authentication, it is also the proprietary user/group lookup mechanism for AIX, similar to that of NSS on other Unix/Linux platforms.  AIX is implemented with a "REGISTRY" to determine where a user or group is defined.  In this case, the IBM adapted sudo recognizes that the user attempting sudo is an AD user, and it ONLY recognizes the AD groups from the same registry as the user (CENTRIFYDC).  This model does not take into account that the AD user belongs to a local group during the sudo permission check.


Solution:
  
The solution is to create an AD group and zone enable it with the same name and GID of the AIX local group.

1) Create AD group.  The group does NOT need to have members.  However, if the AD user is added to the AD group, that member can then be removed from the AIX local group and still be considered a member.
  
  
User-added image
  

  
2) Zone enable the group with the same GID as the local group.
    
User-added image
  

3) Set the following parameter in /etc/centrifydc/centrifydc.conf
  
adclient.local.group.merge: true

4) Reload adclient
  
# adreload

5) The user is now seen as a member of the group for sudo rights. Confirm that the user can now run the sudo command:
 
User-added image

  
Additional Notes:
  
A) If the user's primary group in the Unix Profile, is the same as the GID of the local group, the user will not have this permissions issue.  The reason is that a user's primary group is handled differently that a secondary group and does not require a matching AD group to be a member.

B) The AIX OS is configured to use LAM.  But configuring AIX to use PAM (Pluggable Authentication Module) authentication will NOT mitigate this issue.  The AD group and the local group will still need to be merged.  This is because AIX PAM is actually implemented on top of LAM.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.