We have our Macs AD bound with mobile accounts, and starting with Big Sur we've had several users run into an issue when trying to use sudo in a terminal window. They'll get the error that they're not in the sudoers file. Normally they'll be standard users using Privileges and it will work, but for some, sudo has stopped working altogether.
We've tried converting the mobile accounts to local accounts but this didn't solve the issue either. Has anyone run into similar issues?
We had the exact same issue with Privileges. We are in the process of changing to Jamf's Make Me Admin script. We added a line to create a a file in the sudoers.d directory with the persons user ID and we remove that file during the removeAdminRights.sh cleanup.
Our tests have worked excellently and we are preparing for pilot. Hope that helps! We struggled with this issue for months.
Sure thing! Under the section for give the user admin privileges we add this:
touch /etc/sudoers.d/domainadmins | echo "$currentUser ALL = (ALL) ALL" > /etc/sudoers.d/domainadmins
Then we add this to the removeAdminRights.sh:
rm -f /etc/sudoers.d/domainadmins
We found that if we don't chown the domainadmins file first, the script won't delete it properly.
On occasion we see situations when a legit user is running a command via sudo is denied even though the user is in the local admin group and should be able to perform the task (“User xxx is not in sudoers file, the incident will be reported”) They are in the dscl local admin group but not explicitly in the sudoers file but I have never needed to add them to this file in recent years, because the macOS sudoers file has an entry for the %admin group (nested membership, etc). Seems to be 1 specific user who sees this error on occasion. He's on Monterey 12.4.