]> Linux Domain Admins as root 🌐:aligrant.com

Linux Domain Admins as root

Alastair Grant | Wednesday 26 November 2014

It is possible to add some Linux distributions to a Windows Active Directory domain. On openSUSE 13.2 this is a case of ensuring you've got the "samba-client" package installed and you should be able to see "Windows Domain Membership" under "Network Services" in YaST.

Adding is fairly simple and you can select whether you want to authenticate users and create home directories.

This will grant everybody with an AD account logon rights to the box. Brilliant, but you probably want to be able to administer the box too. As Linux tries to encourage us not to logon as root, but to instead elevate our privileges explicitly when doing sensitive commands through the "sudo" command, we should try and embrace that with our Windows membership.

To grant all Domain Admin users access to run sudo for anything on the box we need to adjust the sudoers file. This is something that YaST allows us to configure, but it falls apart when trying to handle spaces in group names, so we have to do it by hand.

To edit the file, you cannot just use VI, you need to use a special command "visudo", which runs vim in some magical mode for this file. Then you just need to add the following line to the bottom of the file:

%DOMAIN\\domain\ admins    ALL=(ALL) NOPASSWD:ALL

Replacing DOMAIN with whatever your domain is. The % means it's a group.

Users logged in through AD in the domain admins group will be able to run sudo without being prompted for the root password.

Breaking from the voyeuristic norms of the Internet, any comments can be made in private by contacting me.