-
Title
How to add Active Directory users to the wheel group to allow su restriction on Linux. -
Description
How to add Active Directory users to the wheel group to allow su restriction on Linux.
-
Cause
The wheel group is a local group.
Adding Active Directory users would usually require a manual edit of the group membership on each server. -
Resolution
Create an entry in the group-override file to allow an Active Directory group to control membership of the wheel group as follows:
1. Create a new group in Active Directory Users and Computers
e.g QASwheel2. Add the required Active Directory users to the new group.
3. Create a group-override entry on each server containing the GID of the wheel group and any local users that are required to su to root:
/etc/opt/quest/vas/group-override
<DOMAIN>\QASwheel:wheel:10:localuser1,localuser2
4. Comment out the local wheel group in /etc/group.
# wheel
5. Edit the /etc/pam.d/su file and make sure that the following entry is either added or uncommented:
(Note: Save a copy of the original /etc/pam.d/su file in case you need to revert back to the original setting)
auth required pam_wheel.so use_uid root_only
6. Test that both an Active Directory user in the QASwheel group, and a local user in the group-override file can su to root. -
Additional Information
To debug the above pam.d entry add 'debug' to the end of the line.
e.g auth required pam_wheel.so use_uid root_only debug
The output can be found in:
/var/log/secure (Default location for Redhat)
/var/log/messages (Suse)