I can't seem to get this working and here is what I have done so far.
I am using samba 4.1.6
my /etc/samba/smb.conf looks like so
security = ads
realm = DOMAIN.LONG
workgroup = DOMAIN
idmap config * : backend = tdb
idmap config * : range = 2000-7999
idmap config DOMAIN:backend = ad
idmap config DOMAIN:range = 8000-9999999
idmap config DOMAIN:schema_mode = rfc2307
winbind nss info = rfc2307
winbind use default domain = yes
winbind nested groups=yes
# so that the users show up in getent
winbind enum users = Yes
# doesn't seem to do the same for groups :-/
winbind enum groups = Yes
restrict anonymous = 2
In AD my group it has a gid 8001
#getent group it
it:x:8001:myusername,others
in /etc/sudoers is the line
%it ALL=(ALL:ALL) ALL
when I ssh to said machine like so
ssh myusername at problemhost
then run a command like so
> sudo echo
[sudo] password for myusername:
myusername is not in the sudoers file. This incident will be reported.
I tried adding another line to /etc/sudoers as follows
%DOMAIN\\it ALL=(ALL:ALL) ALL
and
%DOMAIN\it ALL=(ALL:ALL) ALL
but neither of them work either.
I seem to be able to get into the nfs shares I have group permissions to
but I can not get sudo to work with my AD user group.