-
Title
Sudoers does not recognize group members. Sudo stops working for some groups when using sudo 1.8.15 or higher -
Description
The following type of entry in sudoers no longer works for some Active Directory groups when using Sudo versions above 1.8.15:%myadmingroup ALL=(root) /bin/su, /usr/bin/su, /bin/su -, /usr/bin/su -Where myadmingroup is a non-Unix enabled Active Directory group.Even though the sudo_vas plugin is enabled:Defaults group_plugin = /opt/quest/lib64/libsudo_vas.so -
Cause
There was a code change in Sudo version 1.8.15.The sudo changelog says:Added the always_query_group_plugin Defaults option to control whether groups not found in the system group database are passed to the group plugin.Previously, unknown system groups were always passed to the group plugin.
The Sudoers manual entry for this option says:always_query_group_plugin
If a group_plugin is configured, use it to resolve groups of the form %group as long as there is not also a system group of the same name.
Normally, only groups of the form %:group are passed to the group_plugin.
This flag is off by default.
This issue is frequently seen when using non-Unix enabled groups in your sudoers configuration, but it has been seen with Unix enabled groups as well.
-
Resolution
RESOLUTION:
1 - Run /opt/quest/bin/vastool configure sudovastool configure sudo will configure sudo to allow access control based on Active Directory groups that are not Unix-enabled. The location of the configuration file (sudoers file) will be determined automatically if visudo is in your PATH. Alternatively you can provide the path to visudo with the -V option, or the path to a sudoers file with the -f option.
2 - Configure the always_query_group_plugin option in the sudoers file:
Defaults always_query_group_plugin
WORKAROUND 2:Add a colon after the percentage sign and before the group name.E.g%:myadmingroup ALL=(root) /bin/su, /usr/bin/su, /bin/su -, /usr/bin/su -
STATUS:From 4.1.5.23440 vastool now automatically adds the always_query_group_plugin option to the sudoers file, if 1.8.15+ is detected.4.1.5.23440Bug 747413* vastool: During configure sudo, check for version 1.8.15+, and addalways_query_group_plugin. -
Change Request
747413 -
Additional Information
Also make sure that the correct attribute is being used for the group name. The sAMAccountName attribute for the group should be used in the sudoers file.