+7Hi all,
We have our Macs AD bound with mobile accounts, and starting with Big Sur we've had several users run into an issue when trying to use sudo in a terminal window. They'll get the error that they're not in the sudoers file. Normally they'll be standard users using Privileges and it will work, but for some, sudo has stopped working altogether.
We've tried converting the mobile accounts to local accounts but this didn't solve the issue either. Has anyone run into similar issues?
+5We had the exact same issue with Privileges. We are in the process of changing to Jamf's Make Me Admin script. We added a line to create a a file in the sudoers.d directory with the persons user ID and we remove that file during the removeAdminRights.sh cleanup.
Our tests have worked excellently and we are preparing for pilot. Hope that helps! We struggled with this issue for months.
+7We had the exact same issue with Privileges. We are in the process of changing to Jamf's Make Me Admin script. We added a line to create a a file in the sudoers.d directory with the persons user ID and we remove that file during the removeAdminRights.sh cleanup.
Our tests have worked excellently and we are preparing for pilot. Hope that helps! We struggled with this issue for months.
Ah that's great, would you be willing to share your solution? Regarding the line to create a file and then removing it.
+5Sure thing! Under the section for give the user admin privileges we add this:
touch /etc/sudoers.d/domainadmins | echo "$currentUser ALL = (ALL) ALL" > /etc/sudoers.d/domainadmins
Then we add this to the removeAdminRights.sh:
chown /etc/sudoers.d/domainadmins
rm -f /etc/sudoers.d/domainadmins
We found that if we don't chown the domainadmins file first, the script won't delete it properly.
+19On occasion we see situations when a legit user is running a command via sudo is denied even though the user is in the local admin group and should be able to perform the task (“User xxx is not in sudoers file, the incident will be reported”) They are in the dscl local admin group but not explicitly in the sudoers file but I have never needed to add them to this file in recent years, because the macOS sudoers file has an entry for the %admin group (nested membership, etc). Seems to be 1 specific user who sees this error on occasion. He's on Monterey 12.4.
+6On occasion we see situations when a legit user is running a command via sudo is denied even though the user is in the local admin group and should be able to perform the task (“User xxx is not in sudoers file, the incident will be reported”) They are in the dscl local admin group but not explicitly in the sudoers file but I have never needed to add them to this file in recent years, because the macOS sudoers file has an entry for the %admin group (nested membership, etc). Seems to be 1 specific user who sees this error on occasion. He's on Monterey 12.4.
Were you able to determine the issue? We have been sporadically encountering the same behavior.
+19Are you bound to AD?
Do you see the issue on both Ventura and Monterey?
Are all your users local administrators by default?
+6Are you bound to AD?
Do you see the issue on both Ventura and Monterey?
Are all your users local administrators by default?
I'm not completely convinced that the two are related since the machine owner is in the local admin group, but maybe just another AD issue we encounter (shocker). My only thought is that maybe it's messing up the group lookups in general.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.