Allowing Active Directory groups to sudo on Ubuntu 20.04

Question

I've joined the domain and set up group login successfully, but can't get sudo to work for members of that group. %DOMAIN\\domain-group ALL=(ALL) ALL in /etc/sudoers doesn't work---users are not considered to be in sudoers. I think this has something to do with the way Ubuntu is interpreting the AD group because:

• The AD group settings are identical to other working groups, and domain-group works on RHEL servers.
• /etc/sssd/sssd.conf is also identical to working RHEL servers.
• Domain user home directories, etc. are assigned to the domain users group as on working RHEL servers.
• I can give individual domain users sudo access via /etc/sudoers, but not the group.
• Logging in as a domain user gives the warning groups: cannot find name for group ID 16720351. When a domain user runs id, domain-group is associated with 16745417 instead of this gID.
• domain-group is not in /etc/group, but when I attempt to use groupadd domain-groupto add the group manually, I get the error groupadd: group 'domain-group' already exists.

So what's the problem? Is there an Ubuntu-exclusive switch I need to flip or something?

Answer 1

I'm not doing this on Ubuntu, so I don't know if there is something special there, but in CentOS I don't have to specify the domain in sudoers, so the syntax I use is:

%domain_group  ALL=(ALL) NOPASSWD: ALL

Groups with spaces in them have to escape the space

%Linux\ Admins       ALL=(ALL) NOPASSWD: ALL