-
Title
AD based users can't execute sudo when locally defined AIX groups are used -
Description
In AIX , when using the following authentication methods 'aixauth' 'pam', you may experience the following error message when AD users that belong to a group and that group is defined in a local /etc/sudoers file are performing sudo operations:
"command not allowed"
and the user is prompted for a password.No matter what password the user enters, the operation cannot continue.
sudo however works for locally defined users.
-
Cause
By default, when matching groups, sudoers will first resolve all the user's group IDs to group names and then compare those group names to any group names listed in the sudoers file.
This works well on systems where the number of groups listed in the sudoers file is larger than the number of groups a typical user belongs to. On systems where group lookups are slow, where users may belong to a large number of groups, and where the number of groups listed in the sudoers file is relatively small, it may be prohibitively expensive and running commands via sudo may take longer than normal causing 3rd party apps to timeout.
-
Resolution
On such systems it may be faster to use the match_group_by_gid flag to avoid resolving the user's group IDs to group names and instead resolve all group names listed in the sudoers file, matching by group ID instead of by group name.This flag is off by default in /etc/sudo.conf.This setting is only supported by version 1.8.18 or higher of sudo.After applying this configuration, users from AD will be able to execute sudo properly.