Univention Domain Join - sudo?


#1

Hi!

I just installed Univention Domain Join on one of my Ubuntu Client Systems and the domain join worked so far.

Primary question is how to manage “sudoers” in this setup? Actually my user which is member of “Domain Admins” group in the Univention domain can login but cannot do sudo to gain more privileges. How could this be accomplished?

I found no documentation for the Univention Domain Join packages on Github and the Univention documentation is Corporate Client (UCC) mostly.

I found this Wiki entry but it seems to be tailored to run ON an UCS machine?

So, is there a way to put a user in a domain group to get (somehow) propagated to the Ubuntu client? Any hints on configuring local sudo config on the Ubuntu client?
Can ALL user accounts now login to this client?

Thanks a lot for any help on this!

with best
Daniel


#2

Hey,

on UCS systems with default settings the members of the Domain Admins group already have such access through the file /etc/sudoers.d/univention. You can simply copy that file over to your Ubuntu machine. Pay attention to the file ownership and permissions because sudo is anal about them: ownership must be root:root and permissions must be 0440.

In case you don’t have default settings regarding sudo on your UCS systems, here’s the corresponding line to put into such a file:

%Domain\ Admins ALL=(ALL:ALL) ALL

Again, pay close attention to file ownership and permissions. In fact, don’t use just any editor for creating such a file — use the right tool for the job: visudo -f /etc/sudoers.d/univention Not only will it get ownership & permissions right for you, it’ll also syntax-check the file when you save & exit the editor and report any errors so that you can fix them.

m.


#3

Hi Moritz!

Thanks a lot for your help with this - it worked perfectly! :+1:t3:

Aside from sudo, is there a way to control which domain users can log on to a machine (with groups?)? Actually, it looks like any univention user can SSH in my machine now - I´d prefer having this managed by a group too.

Best regards
Daniel


#4

Hey,

for UCS systems you can restrict that easily by setting certain UCR variables (see ucr search auth/sshd/).

For your Ubuntu systems you’ll have to configure the same manually:

  1. Include pam_access in an appropriate place in /etc/pam.d/sshd and let it refer to a file such as /etc/security/access-sshd.conf
  2. Create said file & add your desired access rules (see man access.conf)

The easiest way is probably to configure your UCS systems via UCR variables first and then use the files generated by the UCR system as a template for your Ubuntu servers.

m.


#5

Again, thanks a lot for your help!


#6

You’re quite welcome.