We use ansible to manage our Macs. ansible will execute sudo many times during the course of the play. Periodically it will fail with:
sudo: 4294967295: invalid value
sudo: error initializing audit plugin sudoers_audit
This is an AD joined machine and the user is an AD user.
Mac mini, macOS 11.2
I started running into this problem a couple weeks ago, and at least for my machine the fix seems to have been to unbind and re-bind to the AD domain. Upon doing this I noticed that the GID had apparently lost its AD mapping, which was fixed upon re-binding to the domain.
## BEFORE unbind/rebind
$ id
uid=1234567891(sanitized) gid=9876543219 groups=9876543219,12(everyone),62(netaccounts),80(admin),399(com.apple.access_ssh),702(com.apple.sharepoint.group.2),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),400(com.apple.access_remote_ae),701(com.apple.sharepoint.group.1)
## AFTER unbind/rebind
$ id
uid=1234567891(sanitized) gid=9876543219(DOMAINNAME\Domain Users) groups=9876543219(DOMAINNAME\Domain Users),12(everyone),62(netaccounts),80(admin),399(com.apple.access_ssh),2128931439(DOMAINNAME\SomeUserGroup),702(com.apple.sharepoint.group.2),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),400(com.apple.access_remote_ae),701(com.apple.sharepoint.group.1),166283020(DOMAINNAME\All Domain Users)
I started running into this problem a couple weeks ago, and at least for my machine the fix seems to have been to unbind and re-bind to the AD domain. Upon doing this I noticed that the GID had apparently lost its AD mapping, which was fixed upon re-binding to the domain.
## BEFORE unbind/rebind
$ id
uid=1234567891(sanitized) gid=9876543219 groups=9876543219,12(everyone),62(netaccounts),80(admin),399(com.apple.access_ssh),702(com.apple.sharepoint.group.2),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),400(com.apple.access_remote_ae),701(com.apple.sharepoint.group.1)
## AFTER unbind/rebind
$ id
uid=1234567891(sanitized) gid=9876543219(DOMAINNAME\Domain Users) groups=9876543219(DOMAINNAME\Domain Users),12(everyone),62(netaccounts),80(admin),399(com.apple.access_ssh),2128931439(DOMAINNAME\SomeUserGroup),702(com.apple.sharepoint.group.2),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),400(com.apple.access_remote_ae),701(com.apple.sharepoint.group.1),166283020(DOMAINNAME\All Domain Users)
Seems to be an issue with user/group ID which is linked to the AD. If you type dsconfig in the terminal what do you see under uid/gid? After consulting with the IT-service in charge of the AD they were able to resolve this issue for my computer by changing the binding process so that I now have valid gid/uid.
Just updated to 11.2.3 and now I'm not seeing this. It does seem to be an intermittent issue.
Reproducer:
while echo 'PASSWORD' | sudo --stdin echo hi; do true; done
We too are seeing this now on a Mac updated to Big Sur 11.3, worked fine on 11.2.3. Same issue that affects AD network account (the Mac is AD joined as well). Making the account an admin and/or using Privileges.app doesn't help, sudo will fail intermittently.
Unbind-rebind to AD did not help the issue.
I have a new Mac, also linked to an AD with OS 11.2.3, but the problem with sudo remains for me. I have tried to rebind to the AD and it didn't help. I get the same error message as above, any ideas for a solution?
I have the same Problem as gustavfromvästerås.
I have a new Mac, also linked to an AD with OS 11.2.3.
Tried to unbind-rebind to the AD and I still keep getting same error as above.
I'd love to hear any other suggestions.
It does, but it also seems intermittent. Normally "id" reports and resolves the uid/gids fine. Presumably you meant to say something like running "dsconfigad -show" which seems fine and in particular:
Advanced Options - User Experience
Create mobile account at login = Enabled
Require confirmation = Disabled
Force home to startup disk = Enabled
Mount home as sharepoint = Enabled
Use Windows UNC path for home = Enabled
Network protocol to be used = smb
Default user Shell = /bin/bash
Advanced Options - Mappings
Mapping UID to attribute = not set
Mapping user GID to attribute = not set
Mapping group GID to attribute = not set
Generate Kerberos authority = Enabled
Advanced Options - Administrative
Preferred Domain controller = XXXX
Allowed admin groups = domain admins,enterprise admins
Authentication from any domain = Disabled
Packet signing = allow
Packet encryption = allow
Password change interval = 14
Restrict Dynamic DNS updates = not set
Namespace mode = domain
I can't reproduce this with 10.14.6 or 10.15.7.
Same issue, on 10.15.7, after reboot, I cannot sudo for several attempts intermittently it will fail with the above message. System using AD.
Good idea - I'll check this the next time I see it.
Im also facing the same problem. Anyone found solution for this? please suggest.
sudo fails intermittently