Intermittent sudo issues?

jonlju
Contributor

Hi all,

We have our Macs AD bound with mobile accounts, and starting with Big Sur we've had several users run into an issue when trying to use sudo in a terminal window. They'll get the error that they're not in the sudoers file. Normally they'll be standard users using Privileges and it will work, but for some, sudo has stopped working altogether.

We've tried converting the mobile accounts to local accounts but this didn't solve the issue either. Has anyone run into similar issues?

7 REPLIES 7

justin_musk
New Contributor II

We had the exact same issue with Privileges.  We are in the process of changing to Jamf's Make Me Admin script.  We added a line to create a a file in the sudoers.d directory with the persons user ID and we remove that file during the removeAdminRights.sh cleanup.  

Our tests have worked excellently and we are preparing for pilot.  Hope that helps! We struggled with this issue for months.

Ah that's great, would you be willing to share your solution? Regarding the line to create a file and then removing it.

justin_musk
New Contributor II

Sure thing!  Under the section for give the user admin privileges we add this:

touch /etc/sudoers.d/domainadmins | echo "$currentUser ALL = (ALL) ALL" > /etc/sudoers.d/domainadmins

Then we add this to the removeAdminRights.sh:

chown /etc/sudoers.d/domainadmins
rm -f /etc/sudoers.d/domainadmins

 

We found that if we don't chown the domainadmins file first, the script won't delete it properly.

dstranathan
Valued Contributor II

On occasion we see situations when a legit user is running a command via sudo is denied even though the user is in the local admin group and should be able to perform the task (“User xxx is not in sudoers file, the incident will be reported”) They are in the dscl local admin group but not explicitly in the sudoers file but I have never needed to add them to this file in recent years, because the macOS sudoers file has an entry for the %admin group (nested membership, etc). Seems to be 1 specific user who sees this error on occasion. He's on Monterey 12.4.

Were you able to determine the issue? We have been sporadically encountering the same behavior.

dstranathan
Valued Contributor II

Are you bound to AD?

Do you see the issue on both Ventura and Monterey?

Are all your users local administrators by default?

  • Yes bound to AD with mobile accounts
  • We saw it in Monterey as well as Ventura
  • Yes all users get added to /Groups/admin by default
  • Possibly related, we've been seeing issues with support seeing error “Username is not in the sudoers file. This incident will be reported” with our admin group listed in the /etc/sudoers file, which has nested groups in it:
    • ADMIN_GROUP
      • user1
      • user2
      • user3
      • Group1
        • user4
        • user5
      • Group2
        • user6
      • user7
      • user8

I'm not completely convinced that the two are related since the machine owner is in the local admin group, but maybe just another AD issue we encounter (shocker). My only thought is that maybe it's messing up the group lookups in general.