Grant full control to a domain group

Forgive me if this post is the wrong place.

NethServer = Version 7
VMware = Version 6.0
Hostname = us1-neth.us1.local

I have recently created a new VM in an effort to test out some of the features in Neth. I was drawn here by a LinkedIn member in response to a question I posed about joining a linux server to a Windows domain.

I have done this in several ways numerous times with CentOS and Neth made it super simple which intrigued me more. However, after joining the domain and being able to view the users and groups via Server Manager, I am struggling to find a way to grant full control to a domain group or user.

I thought simply modifying the /etc/sudoers would solve the issue, but it actually prevented all logins. The linuxadmins group does work, but when logging in as a domain user I cannot perform any tasks.

vi /etc/sudoers

Allow root to run any commands anywhere

%linuxadmins ALL=(ALL) ALLOW

%‘domain admins’ ALL=(ALL) ALLOW

Maybe this feature doesn’t exist in this version, but I thought I would pose the question, how do you elevate the permissions for domain users?

Thanks in advance

Hi @Bt_Crigna, thank you for asking.

I guess by “full control” you mean “to the server-manager web UI”, right?

On ns6 it can be achieved by creating an “administrators” group. On ns7 I think this does not work but we could find a workaround…

Do not modify it by hand! You could check the sudoers files against syntax errors with the visudo -c command.

Hi Bt_Cringa,

Usually there is a problem not escaping space characters.
You can try this alternatives:

%domain\ admins ALL=(ALL) ALL

%domain\domain\ admins ALL=(ALL) ALL

%domain\ ALL=(ALL) ALL

See this Link maybe it helps:

Much appreciated!

I added all of those options and a few from the article, I even tried some combinations of all of them and nothing worked.

Clearly, it’s a problem with assigning any other user administrative control. Is it possible that the Server Manager has a config file that needs to be edited or does it read from the SUDOERS?

Ran the visudo -c command and this is the output. I can change the ALLOW, but all changes were made manually. I am unsure how I would change it any other way.

visudo: Warning: Cmnd_Alias ALLOW' referenced but not defined visudo: Warning: Cmnd_AliasALLOW’ referenced but not defined
/etc/sudoers: parsed OK
/etc/sudoers.d/10_nethserver: parsed OK
/etc/sudoers.d/20_nethserver_base: parsed OK
/etc/sudoers.d/20_nethserver_sssd: parsed OK

Undo any change to /etc/sudoers. As said, it must not be modified by hand!

This is a possible solution. But the config parser has problems with sssd group names. We can’t adopt this solution until we fix Nethgui/Authorization/PolicyRule.php.

The other way is creating a Unix group, administrators and add some members to it. The builtin /usr/share/nethesis/NethServer/Authorization/base.json policy grants full access to members of administrators.

groupadd administrators
usermod -G administrators -a

Now user has full privileges from server-manager.


2 posts were merged into an existing topic: Nethserver-delegated-panel

Brilliant and easy. Thanks for the tip that solves the problem.

Thank you! Could you mark this topic as solved?

2 posts were split to a new topic: Unix accounts and sssd

I actually find a workaround to the Nethgui limitation that should be enough to fix ns7 problems:

It will be released soon, we’re working on the administrators group support for both LDAP and AD providers.

@Bt_Crigna what do you think about this fix?

We’ll push this further: members of the administrators group will be modifiable from the UI

1 Like