Help

Intermittent sudo issues?

jonlju
Contributor

Posted on ‎12-08-2021 04:56 AM

Hi all,

We have our Macs AD bound with mobile accounts, and starting with Big Sur we've had several users run into an issue when trying to use sudo in a terminal window. They'll get the error that they're not in the sudoers file. Normally they'll be standard users using Privileges and it will work, but for some, sudo has stopped working altogether.

We've tried converting the mobile accounts to local accounts but this didn't solve the issue either. Has anyone run into similar issues?

Reply
7 REPLIES 7

justin_musk
New Contributor II

Posted on ‎01-28-2022 07:47 AM

We had the exact same issue with Privileges.  We are in the process of changing to Jamf's Make Me Admin script.  We added a line to create a a file in the sudoers.d directory with the persons user ID and we remove that file during the removeAdminRights.sh cleanup.  

Our tests have worked excellently and we are preparing for pilot.  Hope that helps! We struggled with this issue for months.

Reply

jonlju
Contributor
In response to justin_musk

Posted on ‎02-03-2022 11:30 PM

Ah that's great, would you be willing to share your solution? Regarding the line to create a file and then removing it.

Reply

justin_musk
New Contributor II

Posted on ‎02-04-2022 07:08 AM

Sure thing!  Under the section for give the user admin privileges we add this:

touch /etc/sudoers.d/domainadmins | echo "$currentUser ALL = (ALL) ALL" > /etc/sudoers.d/domainadmins

Then we add this to the removeAdminRights.sh:

chown /etc/sudoers.d/domainadmins
rm -f /etc/sudoers.d/domainadmins

 

We found that if we don't chown the domainadmins file first, the script won't delete it properly.

0 Kudos
Reply

dstranathan
Valued Contributor II

‎06-13-2022 12:14 PM - edited ‎06-13-2022 12:18 PM

On occasion we see situations when a legit user is running a command via sudo is denied even though the user is in the local admin group and should be able to perform the task (“User xxx is not in sudoers file, the incident will be reported”) They are in the dscl local admin group but not explicitly in the sudoers file but I have never needed to add them to this file in recent years, because the macOS sudoers file has an entry for the %admin group (nested membership, etc). Seems to be 1 specific user who sees this error on occasion. He's on Monterey 12.4.

0 Kudos
Reply

jkeller13
New Contributor III
In response to dstranathan

Posted on ‎04-12-2023 10:22 AM

Were you able to determine the issue? We have been sporadically encountering the same behavior.

0 Kudos
Reply

dstranathan
Valued Contributor II

Posted on ‎04-13-2023 09:01 AM

Are you bound to AD?

Do you see the issue on both Ventura and Monterey?

Are all your users local administrators by default?

0 Kudos
Reply

jkeller13
New Contributor III
In response to dstranathan

Posted on ‎04-22-2023 07:34 AM

  • Yes bound to AD with mobile accounts
  • We saw it in Monterey as well as Ventura
  • Yes all users get added to /Groups/admin by default
  • Possibly related, we've been seeing issues with support seeing error “Username is not in the sudoers file. This incident will be reported” with our admin group listed in the /etc/sudoers file, which has nested groups in it:
    • ADMIN_GROUP
      • user1
      • user2
      • user3
      • Group1
        • user4
        • user5
      • Group2
        • user6
      • user7
      • user8

I'm not completely convinced that the two are related since the machine owner is in the local admin group, but maybe just another AD issue we encounter (shocker). My only thought is that maybe it's messing up the group lookups in general.

0 Kudos
Reply