[CENTOS7] 将域群组加入到Sudoer里

文章来源：https://derflounder.wordpress.com/2012/12/14/adding-ad-domain-groups-to-etcsudoers/

Adding AD domain groups to /etc/sudoers

December 14, 2012rtroutonLeave a commentGo to comments

 

A recent discussion on the MacEnterprise list focused around how to give members of Active Directory groups the ability to run commands as root using the sudo command-line utility. This would allow the users in those groups the ability to run some or all commands with root privileges in Terminal without having to give those accounts administrative privileges on the Mac in question.

To do this, you would need to add an entry to the /etc/sudoers file. /etc/sudoers gives listed users or groups the ability to execute commands while having the privileges of the root user.

Editing /etc/sudoers

To edit /etc/sudoers safely, make sure to use the visudo utility. This application will do a sanity check on your changes to /etc/sudoers before putting them into production.

visudo uses vi as its editor. If you haven’t used vi previously, I recommend doing some research on vi commands  before launching visudo.

Adding entries to /etc/sudoers

Adding the following entry to /etc/sudoers would allow you to give full sudo permissions to an AD group named ITadmins:

1	%DOMAIN\\ITadmins      ALL=(ALL) ALL

Because a number of AD groups have spaces in the names, you’ll need to escape the spaces using backslashes. For example. adding the following entry to /etc/sudoers would allow you to give full sudo permissions to an AD group named Group Name With Spaces:

1	%DOMAIN\\Group\ Name\ With\ Spaces       ALL=(ALL) ALL

In both cases, replace DOMAIN with your AD domain’s name.