Granting access to AD user or group …
1 min readJun 5, 2023
if you want to use CLI you have to get ticket from IdM
[root@stlidm01 ~]# ipa group-add --help
ipa: ERROR: Ticket expired
[root@stlidm01 ~]# kinit
Password for admin@IDM.KTTEST.LOCAL:
[root@stlidm01 ~]#
[root@stlidm01 ~]#
Note: if you want to give access to AD group you have to create AD security group with a global or universal.
create external group and add AD user/group as external member.
[root@stlidm01 ~]# ipa group-add --external ad_users_external
...
[root@stlidm01 ~]# ipa group-add-member ad_users_external --external "User@domain.com"
...create posix group and add ad_users_external to ad_users as member.
[root@stlidm01 ~]# ipa group-add ad_users
...
[root@stlidm01 ~]# ipa group-add --groups ad_users_external
...create command , sudorule, sudorule-allow, add-host, add-user…
[root@stlidm01 ~]# ipa sudocmd-add /usr/sbin/reboot
...
[root@stlidm01 ~]# ipa sudorule-add ad_users_reboot
...
[root@stlidm01 ~]# ipa sudorule-allow-command ad_users_reboot --sudocmds '/usr/sbin/reboot'
...
[root@stlidm01 ~]# ipa sudorule-add-host ad_users_reboot --hosts os.example.com
...
[root@stlidm01 ~]# ipa sudorule-add-user ad_users_reboot --groups ad_users
...Verification steps.
[root@stlidm01 ~]# ssh ad_user@ad-domain@ipaclient
...
[root@stlidm01 ~]# sudo -l
...
[root@stlidm01 ~]# ipa sudorule-add-option ANY --sudooption='!authenticate'
Sudo NOPASSWD option can used like above.