I’ve written an extensive tutorial about integrating Ubuntu 15.10 with Active Directory.
Today I’ve deployed our first testbed comp with 16.04 (beta2) installed. Joined it to AD, set up FDE, everything’s fine. Then the user complains he cannot sudo. Hmm, lemme check the sudoRole for typos. Nope, it’s fine. Let’s delete and recreate it. It still fails. Hmm, but why does my user’s sudo access work?
Guess what, my role had
sudoHost set to
ALL while the user’s role only had this one comp’s hostname in short form, which was working perfectly in Ubuntu 15.10 (with SSSD 1.12). Then I thought using the FQDN may help it, and it turned out to be right, sudo started working right away.
Looking at the SSSD 1.13 (included in Ubuntu 16.04) release notes, there’s an entry like this:
Group Policy objects defined in a different AD domain that the computer object is defined in are now supported.
This may have something to do with this. Anyhow, I’ve updated the original guide as well.
TL;DR: use FQDN (the
dNSHostName attribute of the computer object) for the
sudoHost attribute in