VMware Cloud Community
vmproteau
Enthusiast
Enthusiast

Adding an Active Directory group to sudoers file

I found an article "virtuallyghetto.com" that describes how to add an AD group to vMA sudoers file. I am getting this message when trying to run certain scripts on ESXi Hosts. I'm assuming this is referring to the vMA sudoers file and not the ESXi sudoers file (if one even exists anymore).

My question is regarding the bottom note "We're escaping both the initial forward slash and the space.". I have limited Linux file editing knowledge so, I'm not 100% clear what the escaping portion refers to? Can anyone explain it in lamens terms maybe by keystroke? The group I'll be adding is in the format Domain\AD Group

If you would like to add an AD group to sudoers file, you need to edit /etc/sudoers file. You need to make sure you escape the initial forward slash and any white spaces that maybe in the group name. In this example, we have a group called "VI Admins" that you would like all users to be able to login to vMA using their AD credentials and perform operations using sudo.

1. Edit /etc/sudoers using vi-admin account, make sure you use 'sudo':

[vi-admin@kate ~]$ sudo vi /etc/sudoers

2. Add the following towards the bottom of the file:

%PRIMP-IND\\VI\ Admins ALL=(ALL) ALL

Note: We're escaping both the initial forward slash and the space

3. Verify user can now sudo by querying sudo operatoins the user is allowed to execute:

[primp@kate ~]$ id
uid=1058014289(primp) gid=1058013696(domain^admins) groups=1058013696(domain^admins),1058014440(vi^admins)

[primp@kate ~]$ sudo -l
Password:
User primp may run the following commands on this host:
(ALL) ALL

Reply
0 Kudos
1 Reply
dconvery
Champion
Champion

You will want to edit the sudoers file using the "visudo" command. Log in to the vMA as vi-admin and then run sudo visudo to properly edit the file. So, basically, the escape charactor here is a backslash. You need to "tell" the linux file that you are getting ready to use a backslash or a space. So in your case, the syntax would be this:

%DOMAIN\\AD\ Group ALL=(ALL) ALL

I actually recommend to people to create a group with a dash or underscore rather than a space. Rather than "AD Group" try to use "AD-Group" or "AD_Group". If you use a dash, the syntax would be this:

%DOMAIN\\AD-Group ALL=(ALL) ALL

Yes, this is for the vMA, not the ESXi servers. You can use the VI CLient to add AD groups to the ESXi servers.

Incidentally, here is a decent guide to the vi editor -> http://docs.freebsd.org/44doc/usd/12.vi/paper.html

Hope this info helps!

Dave Convery, VCDX3,4 #20

VMware vExpert 2009, 2010

http://www.dailyhypervisor.com

http://twitter.com/dconvery

vmw_logo_vmware-expert_125x50_02.gif

VCDX_Small.gif

Careful. We don't want to learn from this.  

Bill Watterson, "Calvin and Hobbes"

Dave Convery, VCDX-DCV #20 ** http://www.tech-tap.com ** http://twitter.com/dconvery ** "Careful. We don't want to learn from this." -Bill Watterson, "Calvin and Hobbes"
Reply
0 Kudos