[sudo-users] network/AD accounts in Sudoers and “bridging” products
brian.hanrahan at gmail.com
Mon Mar 2 09:14:26 MST 2020
Is there any practical case where user entries for network
accounts (typically AD user or group) do not follow the netgroup syntax
When user authentication and group membership resolution are handled by
Centrify, BeyondTrust or similar is netgroup syntax still employed in
Sudoers to match the (typically AD) accounts?
I can't see any other way for Sudo to be secure given local and network
user accounts, but it's an assumption I didn't want to make.
The concern is that products implementing "directory bridging" might cause
Sudo entries intended for local accounts to authorize a same-named network
Given a Sudo entry like "Susie All(All) All" I can imagine it could be
associated to susie at some_domain.org given a product's PAM module has full
Thanks in advance for any info/insight you can offer!
More information about the sudo-users