AD integration changes in Ubuntu 16.04

I’ve written an extensive tutorial about integrating Ubuntu 15.10 with Active Directory.

Today I’ve deployed our first testbed comp with 16.04 (beta2) installed. Joined it to AD, set up FDE, everything’s fine. Then the user complains he cannot sudo. Hmm, lemme check the sudoRole for typos. Nope, it’s fine. Let’s delete and recreate it. It still fails. Hmm, but why does my user’s sudo access work?

Guess what, my role had sudoHost set to ALL while the user’s role only had this one comp’s hostname in short form, which was working perfectly in Ubuntu 15.10 (with SSSD 1.12). Then I thought using the FQDN may help it, and it turned out to be right, sudo started working right away.

Looking at the SSSD 1.13 (included in Ubuntu 16.04) release notes, there’s an entry like this:

Group Policy objects defined in a different AD domain that the computer object is defined in are now supported.

This may have something to do with this. Anyhow, I’ve updated the original guide as well.

TL;DR: use FQDN (the dNSHostName attribute of the computer object) for the sudoHost attribute in sudoRole objects.

Tags: , , , ,