I have 2 linux servers. RHEL 5.11 and RHEL 7.3. And I have a bash script named "deploy.sh" at /app/deploy/deploy.sh and /app2/deploy/deploy.sh. There is a user group named "deployers" on Centrify and a user who member of this "deployers" group. This user (I'll call it as "deployer") can run deploy.sh script with dzdo on first server (5.11 Tikanga) but it cannot run the same script on second server (7.3 Maipo).
The following output is from Tikanga:
[deployer@tikanga ~]$ dzdo -u depuser /app/deploy/deploy.sh
Success!
[deployer@tikanga ~]$ ls -la /app/deploy/ | grep deploy
-rwxr-xr-x 1 depuser depuser 4960 Apr 14 2016 deploy.sh
[root@tikanga ~]# cat /etc/sudoers | grep deployers
%deployers ALL=(depuser) NOPASSWD: /app/deploy/deploy.sh
And following output is from Maipo:
[deployer@maipo ~]$ dzdo -u depuser /app2/deploy/deploy.sh
Sorry, user deployer is not allowed to execute '/app2/deploy/deploy.sh' as depuser on maipo.
[deployer@maipo ~]$ ls -la /app2/deploy/ | grep deploy
-rwxr-xr-x. 1 depuser depuser 5159 Aug 17 12:22 deploy.sh
[root@maipo ~]# cat /etc/sudoers | grep deployers
%deployers ALL=(depuser) NOPASSWD: /app2/deploy/deploy.sh
Both of the servers in the domain with Centrify.
chgrp deployers /app2/deploy/deploy.sh, however, your would lose the added security of requiring asu-like call before running the script.