环境
我们正在运行多个 Ubuntu 22.04 系统。作为初始配置的一部分,这些系统通过 GUI 添加到 Windows Active Directory 域中。我们有一个名为“sudoers”的 Active Directory 组,其中包含多个 Active Directory 用户。我们已通过 visudo 修改了 sudoers (/etc/sudoers) 文件以包含来自 Active Directory 的“sudoers”组。SSH 正在系统上运行。
用户可以通过其 Active Directory 凭据建立 ssh 会话。“sudoers”Active Directory 组的成员能够从 ssh 会话中提升命令。有时。
问题
间歇性地,suoders 组的成员将建立 ssh 会话,尝试运行提升权限的命令,并收到“不在 sudoers 文件中。此事件将被报告。”消息。当同一用户建立多个 ssh 会话时,似乎会发生此问题。如果用户在问题状态下运行“groups”命令,则不会显示 sudoers 组。但是,如果同一用户从不同的 ssh 会话运行“groups”命令(而另一个 ssh 会话仍处于问题状态),则会显示 sudoers 组。
我们尝试了多种配置更改,但均未成功。如能提供任何指导,我们将不胜感激!
参考
我列出了 sudoers 文件内容和 sssd.conf(/etc/sssd/sssd.conf)文件内容以供参考。
## This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
Defaults use_pty
# This preserves proxy settings from user environments of root
# equivalent users (group sudo)
#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"
# This allows running arbitrary commands, but so does ALL, and it means
# different sudoers have their choice of editor respected.
#Defaults:%sudo env_keep += "EDITOR"
# Completely harmless preservation of a user preference.
#Defaults:%sudo env_keep += "GREP_COLOR"
# While you shouldn't normally run git as root, you need to with etckeeper
#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"
# Per-user preferences; root won't have sensible values for them.
#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"
# "sudo scp" or "sudo rsync" should be able to use your SSH agent.
#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"
# Ditto for GPG agent
#Defaults:%sudo env_keep += "GPG_AGENT_INFO"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# Added Manually
%sudoers ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "@include" directives:
@includedir /etc/sudoers.d
[sssd]
domains = domain.local
config_file_version = 2
Services = nss, pam
[domain/domain.local]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = DOMAIN.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = domain.local
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
#ldap_schema = rfc2307bis
#ldap_group_name = cn
#ldap_group_member = member