6
  • MacOS Catalina 10.15.3 Centrify 5.5.2-702
  • UserA is a "Mobile" (AD Authenticated) user showing as "Admin" in Users & Groups
  • UserA is shown as a member of the local "admin" group when running "groups x" or "id"
  • UserA can perform admin tasks in the GUI (such as installing software, unlocking System Preferences etc)
  • UserA cannot sudo on a particular MacX "xxx is not in the sudoers file. This incident will be reported."
  • UserA can sudo on other Macs(Y,Z,...)
  • Logs show Centrify PAM is successful. Other (local) users can sudo (no issue with the sudo file)

I'm at a loss why this is happening - and have spent hours troubleshooting this to no avail. Any help where to look next would be incredibly helpful!

klanomath
  • 66,391
  • 9
  • 130
  • 201
Buzbe
  • 61
  • To use sudo that user must be in the sudoers file or in a group that is in the sudoers file. I would check the groups first - make sure that user is in the appropriate group (should be wheel) – Allan Feb 14 '20 at 18:56
  • 1
    @Allan the user is reported as a member of admin group 80 (and I can run GUI admin commands such as unlocking user preferences etc). My current thinking is that its part of the pam chain with Centrify or something similar that is not reporting a membership of the admin group in time. – Buzbe Feb 15 '20 at 08:37
  • @klanomath is correct, I mix up FreeBSD and macOS from time to time. As for Centrify, it’s not a matter of “in time” because you’ve logged in, you’re in the group. – Allan Feb 15 '20 at 11:41
  • @klanomath - that file has the expected 6(ish) lines referencing centrify (and I’ve checked this against another Mac running the same version of Mac OS and Centrify), these are identical. – Buzbe Feb 15 '20 at 21:00
  • Since I’ve posted - I’ve also cleared my users Cache (~/Library/Cache), Preferences (~/Library/Preferences), and cleared by local opendirectory profile. No change – Buzbe Feb 15 '20 at 21:03
  • I’ve been able to login to another Mac on the network and sudo, and other users can also sudo on their machines. – Buzbe Feb 15 '20 at 21:29
  • @Buzbe "I’ve been able to login to another Mac on the network" means "I=UserA is a "Mobile" (AD Authenticated) user showing as "Admin" in Users & Groups"? Or with other words: UserA can't use sudo on one particular Mac but on all other Macs and UserB (also admin) can use sudo on this particular Mac? – klanomath Feb 15 '20 at 22:04
  • My user is showing as Mobile and Admin on this Mac - and cannot sudo. On other macs, I have sudo rights.

    Have not tried another admin (and mobile user) on this Mac yet.

     – Buzbe Feb 15 '20 at 22:14
  • @Klanomath - yep correct. Still no luck on my side though. Very challenging issue! – Buzbe Feb 16 '20 at 22:08
  • @Buzbe Did you already try to login with UserB (Mobile and Admin) on MacX and execute sudo ...? – klanomath Feb 16 '20 at 22:10
  • Is your user using a non-default terminal client? I noticed after upgrading to Catalina that I could sudo in Terminal.app but not iterm2. After granting iTerm2 full disk access I was able to sudo again – chrisortman Feb 17 '20 at 23:52
  • I got the same problem. Mobile user, belong to Admin group. I can manage all my Mac settings and access any files, but sudo doesn't work. Tried granting full disk permission to the iTerm and Term.app – didn't help. – dobrych Feb 08 '22 at 00:07

0 Answers0