An AD (Active Directory) user that belongs to a group that is defined in /etc/group, is not allowed to perform a sudo command, even when the local group is given the permissions in the sudoers file. The error seen is: "Sorry, user <username> may not run sudo on <machinename>."
AD user is: bugs
Local group in /etc/group is: cfy-mqm
/etc/sudoers contains an assigned right for group cfy-mqm:
An error appears when bugs runs the command sudo -l
This issue is due to the AIX implementation of LAM (Loadable Authentication Module) and IBM's adaptation of sudo. LAM is not only for authentication, it is also the proprietary user/group lookup mechanism for AIX, similar to that of NSS on other Unix/Linux platforms. AIX is implemented with a "REGISTRY" to determine where a user or group is defined. In this case, the IBM adapted sudo recognizes that the user attempting sudo is an AD user, and it ONLY recognizes the AD groups from the same registry as the user (CENTRIFYDC). This model does not take into account that the AD user belongs to a local group during the sudo permission check.
The solution is to create an AD group and zone enable it with the same name and GID of the AIX local group.
1) Create AD group. The group does NOT need to have members. However, if the AD user is added to the AD group, that member can then be removed from the AIX local group and still be considered a member.
2) Zone enable the group with the same GID as the local group.
3) Set the following parameter in /etc/centrifydc/centrifydc.conf
4) Reload adclient
5) The user is now seen as a member of the group for sudo rights. Confirm that the user can now run the sudo command:
A) If the user's primary group in the Unix Profile, is the same as the GID of the local group, the user will not have this permissions issue. The reason is that a user's primary group is handled differently that a secondary group and does not require a matching AD group to be a member.
B) The AIX OS is configured to use LAM. But configuring AIX to use PAM (Pluggable Authentication Module) authentication will NOT mitigate this issue. The AD group and the local group will still need to be merged. This is because AIX PAM is actually implemented on top of LAM.