Here's the text from the help topic on configuring entries in sudoers:
Configure Entries in Your Sudoers Files When you add Active Directory entries to your sudoers file -- typically, /etc/sudoers -- you must adhere to at least the following rules: ALL must be in uppercase letters. Use a slash character to escape the slash that separates the Active Directory domain from the user or group name. Use the correct case; entries are case sensitive. Use a user or group's alias if the user or group has one in Active Directory. If the user or group does not have an alias, you must set the user or group in the Likewise canonical name format of NetBIOSdomainName\SAMaccountName (and escape the slash character). Note: For users or groups with an alias, the Likewise canonical name format is the alias, which you must use; you cannot use the format of NetBIOS domain name\SAM account name. So, for users and groups without an alias, the form of an entry in the sudoers file is as follows: DOMAIN\\username DOMAIN\\groupname Example entry of a group: % LIKEWISEDEMO\\LinuxFullAdmins ALL=(ALL) ALL Example entry of a user with an alias: kyle ALL=(ALL) ALL For more information about how to format your sudoers file, see your computer's man page for sudo. Check a User's Canonical Name on Linux To determine the canonical name of a Likewise user on Linux, execute the following command, replacing the domain and user in the example with your domain and user: getent passwd likewisedemo.com\\hab LIKEWISEDEMO\hab:x:593495196:593494529: Jurgen Habermas:/home/local/ LIKEWISEDEMO/ hab:/bin/ sh In the results, the user's Likewise canonical name is the first field. Steve Hoenisch Likewise Software Inc. shoeni...@likewise.com 15395 SE 30th Place, Suite 140 Bellevue, WA 98007 www.likewise.com -----Original Message----- From: likewise-open-discuss-boun...@lists.likewisesoftware.com [mailto:likewise-open-discuss-boun...@lists.likewisesoftware.com] On Behalf Of Justin Pittman Sent: Tuesday, April 28, 2009 12:56 PM To: Drew Patten; Briguglio, Frank (10421) Cc: likewise-open-discuss@lists.likewisesoftware.com Subject: Re: [Likewise-open-discuss] SUDO Access The previous post was a working syntax for group membership. %MYDOMAIN\\MyLinuxAdminGroup ALL=(ALL) ALL You'd have to replace the domain and group with actual names from AD. If that doesn't work, then the help file has several suggestions and troubleshooting techniques for sudo, id, etc. Justin -----Original Message----- From: likewise-open-discuss-boun...@lists.likewisesoftware.com [mailto:likewise-open-discuss-boun...@lists.likewisesoftware.com] On Behalf Of Drew Patten Sent: Tuesday, April 28, 2009 3:27 PM To: Briguglio, Frank (10421) Cc: likewise-open-discuss@lists.likewisesoftware.com Subject: Re: [Likewise-open-discuss] SUDO Access I tried getting this to work with the latest version and didn't have any luck. I was never able to grant an AD account root access, to this day I have to 'su' to gain it. Can you copy/paste the line in you sudoer's file so I can take a look at the syntax? -----Original Message----- From: likewise-open-discuss-boun...@lists.likewisesoftware.com [mailto:likewise-open-discuss-boun...@lists.likewisesoftware.com] On Behalf Of Briguglio, Frank (10421) Sent: Tuesday, April 28, 2009 3:23 PM To: Justin Pittman Cc: likewise-open-discuss@lists.likewisesoftware.com Subject: Re: [Likewise-open-discuss] SUDO Access I added something like %MYDOMAIN\\MyLinuxAdminGroup ALL=(ALL) ALL to the sudoers file via visudo and it works great for the proof of concept I was trying to achieve. -- Frank J. Briguglio | Protiviti Government Solutions -----Original Message----- From: Justin Pittman [mailto:jpitt...@likewise.com] Sent: Tuesday, April 28, 2009 3:08 PM To: Briguglio, Frank (10421) Cc: likewise-open-discuss@lists.likewisesoftware.com Subject: RE: [Likewise-open-discuss] SUDO Access Likewise Enterprise has the same functionality as Open for name services. The users or groups defined in a sudoers file will be resolved to a UID/GID, and Likewise is defined to resolve usernames and groupnames via AD if they are not found locally. (This is the 'passwd files lsass' entry in nsswitch.conf, and its group counterpart.) For groups an enumeration of its members also happens, and Likewise can return the members' UIDs from AD. As far as AD problems and local administrative backdoors, even if a Likewise client's connectivity to DCs/DNS collaspes, caching is enabled by default. Locally cached IDs would allow sudo to continue to function. Justin -----Original Message----- From: likewise-open-discuss-boun...@lists.likewisesoftware.com [mailto:likewise-open-discuss-boun...@lists.likewisesoftware.com] On Behalf Of Briguglio, Frank (10421) Sent: Tuesday, April 28, 2009 10:39 AM To: likewise-open-discuss@lists.likewisesoftware.com Subject: Re: [Likewise-open-discuss] SUDO Access Good point. I did see where I could use a combination of an AD group and the sudoers file. Is anyone trying this approach, seems to be the best approach. -- Frank J. Briguglio | Protiviti Government Solutions ________________________________ From: Alan Hatch [mailto:aha...@dollargeneral.com] Sent: Tuesday, April 28, 2009 10:34 AM To: Briguglio, Frank (10421); likewise-open-discuss@lists.likewisesoftware.com Subject: RE: SUDO Access Frank, To add to what has already been offered, you can also set your admins up in a local group and use that group to control access via the sudoers file if you want more granular access (that is how we manage developer accounts). Please be aware, however, that your Linux admins won't be able to do their job if you have AD issues (we maintain local accounts for all administrators). ________________________________ From: likewise-open-discuss-boun...@lists.likewisesoftware.com [mailto:likewise-open-discuss-boun...@lists.likewisesoftware.com] On Behalf Of Briguglio, Frank (10421) Sent: Tuesday, April 28, 2009 9:07 AM To: likewise-open-discuss@lists.likewisesoftware.com Subject: [Likewise-open-discuss] SUDO Access I would like to have linux admins login with AD credentials and then sudo to perform advanced administrative tasks. With Likewise Open can I configure this without modifying the sudoers file? What about Likewise Enterprise? Thanks in advance. _____________________________________________________________________ Likewise-open-discuss mailing list Likewise-open-discuss@lists.likewisesoftware.com Found a bug? Please file a report: http://lobugs.likewise.com/ Looking for other discussion options? Try our forums: http://www.likewise.com/community/index.php/forums/ _____________________________________________________________________ Likewise-open-discuss mailing list Likewise-open-discuss@lists.likewisesoftware.com Found a bug? Please file a report: http://lobugs.likewise.com/ Looking for other discussion options? Try our forums: http://www.likewise.com/community/index.php/forums/ _____________________________________________________________________ Likewise-open-discuss mailing list Likewise-open-discuss@lists.likewisesoftware.com Found a bug? Please file a report: http://lobugs.likewise.com/ Looking for other discussion options? Try our forums: http://www.likewise.com/community/index.php/forums/
