AD Users that are members of AD unix enabled group cannot sudo. The same AD users can sudo onto other machine with the same sudoers configuration file.
Sudo -l reports:
Sorry, user USERNAME may not run sudo on MACHINENAME.
CAUSE 1:There was a local group name the same as the AD unix enabled group that was causing a conflict.
CAUSE 2: There was a sudo rule containing AD group name however the name was overriden in the group_override file to another name.
RESOLUTION 1:
1 - Deleted the local group with the same name.
RESOLUTION 2:
1 - Check if there is a override for the user or the group in /etc/opt/quest/vas/user-override or group_override files
2 - The below commands are helpful to find out if there is overrides:
/opt/quest/bin/vastool nss getgrnam {GROUPNAME}
/opt/quest/bin/vastool nss getgrgid {GID NUMBER}
/opt/quest/bin/vastool nss getpwnam {USERNAME}
3 - Put the overriden name of the group in the sudoers file instead of the AD group name.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center