How to add Active Directory users to the wheel group to allow su restriction on Linux.
The wheel group is a local group.
Adding Active Directory users would usually require a manual edit of the group membership on each server.
Create an entry in the group-override file to allow an Active Directory group to control membership of the wheel group as follows:
1. Create a new group in Active Directory Users and Computers
2. Add the required Active Directory users to the new group.
3. Create a group-override entry on each server containing the GID of the wheel group and any local users that are required to su to root:
4. Comment out the local wheel group in /etc/group.
5. Edit the /etc/pam.d/su file and make sure that the following entry is either added or uncommented:
(Note: Save a copy of the original /etc/pam.d/su file in case you need to revert back to the original setting)
auth required pam_wheel.so use_uid root_only
6. Test that both an Active Directory user in the QASwheel group, and a local user in the group-override file can su to root.
To debug the above pam.d entry add 'debug' to the end of the line.
e.g auth required pam_wheel.so use_uid root_only debug
The output can be found in:
/var/log/secure (Default location for Redhat)