[sudo-users] network/AD accounts in Sudoers and “bridging” products

Brian Hanrahan brian.hanrahan at gmail.com
Mon Mar 2 09:14:26 MST 2020

Is there any practical case where user entries for network
accounts (typically AD user or group) do not follow the netgroup syntax
https://www.sudo.ws/man/1.8.31/sudoers.man.html#SUDOERS_FILE_FORMAT ?

When user authentication and group membership resolution are handled by
Centrify, BeyondTrust or similar is netgroup syntax still employed in
Sudoers to match the (typically AD) accounts?
I can't see any other way for Sudo to be secure given local and network
user accounts, but it's an assumption I didn't want to make.
The concern is that products implementing "directory bridging" might cause
Sudo entries intended for local accounts to authorize a same-named network
Given a Sudo entry like "Susie All(All) All" I can imagine it could be
associated to susie at some_domain.org given a product's PAM module has full

Thanks in advance for any info/insight you can offer!

More information about the sudo-users mailing list