I'm working with a variety of Linux servers that are being joined to Active Directory, and I'm looking to get some insights on the best practices for managing sudo and root access on these systems. Given that each server has unique owners and different user accounts that require privileged access, what strategies do you use to organize this in a way that is both scalable and secure? Do you base your management on AD groups, or is there a different approach that works better? Any advice or tips would be greatly appreciated!
6 Answers
I set up dual AD groups for every machine: one group for SSH access and another for sudo permissions. I handle updates to the SSH config and sudoers file using deployment scripts to keep everything consistent and managed.
Managing through AD groups is definitely the way to go! We use the ad_access_filter in SSSD to control user logins, with corresponding sudo permissions laid out in /etc/sudoers.d. Since we already organize teams within AD, this approach integrates seamlessly into our existing framework. And while nested AD groups in SSSD take a bit of setup, they become much easier to manage once you get it figured out.
Absolutely agree with managing it through AD groups! You just add the necessary entries in the /etc/sudoers.d directory for the relevant groups.
We manage our sudo rules through Active Directory directly. This way, there's no need to constantly update the sudoers file via Ansible. Basically, you extend the AD schema with sudo attributes, which allows you to create rules in AD itself. For example, we have a rule that grants the "LinuxAdmins" AD group sudo access across all servers, along with specific rules for developers on their machines.
In our setup, the Ansible provisioning script creates a couple of groups in AD for each Linux system based on its type. We maintain groups for logins and admins, simplifying the delegation process and making auditing permissions much easier. We send out reports biannually for system owners to verify access, ensuring everyone has updated visibility on permissions.
We typically set up unique sudoers files for each AD group and manage them using Ansible. I’m not entirely sure if it's the best practice to rely solely on sudoers files, though. Some people find it more effective to pull sudo privileges directly from AD. It might be worth exploring that option!
I feel the same about Ansible; if only it had built-in centralized authentication, that would be a game-changer for managing all our servers!
Same here! I use nested AD groups as well. The enterprise admin group is part of the project's admin group, which helps unify access across various sudo and access configuration files.