can I give an Active Directory group sudo permissions?

L

Luke Jaeger

Dabbler
Joined
Mar 16, 2016
Messages
43
I'm running a FreeNAS 9.10 fileserver bound to AD. All users (except the local admin) log in with their AD credentials to get access to their home directory, SMB shares, etc.

I would like one of the existing AD groups to have sudo rights on my FreeNAS. Is this possible?
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Luke Jaeger said:
I'm running a FreeNAS 9.10 fileserver bound to AD. All users (except the local admin) log in with their AD credentials to get access to their home directory, SMB shares, etc.

I would like one of the existing AD groups to have sudo rights on my FreeNAS. Is this possible?
Click to expand...

At present (as far as I can tell) there doesn't appear to be a way to make it persistent across reboots. What are you trying to accomplish? There's not a lot of configuration that can be achieved via the CLI (at least in a way that's stable).

I think it's not a bad idea to have a checkbox in the "directory services" -> "active directory" config to automatically add "DOMAIN\Domain Admins" to the sudoers file.
 
Last edited:
L

Luke Jaeger

Dabbler
Joined
Mar 16, 2016
Messages
43
anodos said:
At present (as far as I can tell) there doesn't appear to be a way to make it persistent across reboots. What are you trying to accomplish? There's not a lot of configuration that can be achieved via the CLI (at least in a way that's stable).
Click to expand...

I have a bunch of scripts that run daily via cron, as root. I'd like members of one AD group to be able to run the script by hand when they want to. The script involves git commands which require sudo rights, so it wouldn't be enough to just give them a copy of the script that they own.

I'm prepared for the possibility that the git commands are the obstacle here, not the user's permissions
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Luke Jaeger said:
I have a bunch of scripts that run daily via cron, as root. I'd like members of one AD group to be able to run the script by hand when they want to. The script involves git commands which require sudo rights, so it wouldn't be enough to just give them a copy of the script that they own.

I'm prepared for the possibility that the git commands are the obstacle here, not the user's permissions
Click to expand...
It might be worth making a feature request to add domain groups to the sudoers file.
 
averyfreeman

averyfreeman

Contributor
Joined
Feb 8, 2015
Messages
164
According to everything I've read, git is supposed to work solely based on the access permissions of the present directory -- however, I just logged into my server as a domain user and navigated to a directory that domain user owns, and I cannot use git without sudo.

Do you have any idea why? Is it a FreeNAS specific issue?
 
E

Ender117

Patron
Joined
Aug 20, 2018
Messages
219
anodos said:
At present (as far as I can tell) there doesn't appear to be a way to make it persistent across reboots. What are you trying to accomplish? There's not a lot of configuration that can be achieved via the CLI (at least in a way that's stable).

I think it's not a bad idea to have a checkbox in the "directory services" -> "active directory" config to automatically add "DOMAIN\Domain Admins" to the sudoers file.
Click to expand...
Hi sorry to revive an old thread but this is the closest post I can find. Basically I ran into the same thing that I can log in with domain accounts but cannot sudo. Just want to make sure it's still not possible before I submit a feature request.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Ender117 said:
Hi sorry to revive an old thread but this is the closest post I can find. Basically I ran into the same thing that I can log in with domain accounts but cannot sudo. Just want to make sure it's still not possible before I submit a feature request.
Click to expand...
It's currently not possible to do this.
 
E

Ender117

Patron
Joined
Aug 20, 2018
Messages
219
anodos said:
It's currently not possible to do this.
Click to expand...
Thanks, I submitted a feature request. This may not be of high demand but hopefully it is easy enough so it gets implemented
 
E

Ender117

Patron
Joined
Aug 20, 2018
Messages
219
jg3 said:
It would make sense that I can create a "sudoers" group in AD and add the users to that group which I want to give sudo access to. Unfortunately this has been a pain for a while (for those of us who want to manage all the credential info in AD)

https://www.ixsystems.com/community/threads/ad-user-can't-sudo.61242/#post-435657
Click to expand...
My feature request got turned down by iXsystem, seems that they have bigger problems at hand and/or TrueNAS customers are not bugged by this
 
You must log in or register to reply here.

Similar threads

S
FreeNAS hosting Mac home directories on Active Directory
Replies
2
Views
2K
statalently
S
K
  • Locked
AFP Permissions Active Directory
Replies
0
Views
1K
keamas
K
L
  • Locked
How to set ACL's for SMB users and Apache in AD context?
Replies
9
Views
2K
anodos
anodos
L
  • Locked
Ubuntu clients can't connect to FreeNAS via SMB + AD
Replies
7
Views
5K
Luke Jaeger
L
S
NFS + Mac + Kerberos/Active Directory
Replies
0
Views
956
statalently
S
Top