Groups on Linux cannot be nested. You can add a user to a group but can’t add a group to another group.
You can on the other hand change Docker’s setting and use your AD group instead of the local.
cat /etc/systemd/system/sockets.target.wants/docker.socket
Output
[Unit]
Description=Docker Socket for the API
[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker
[Install]
WantedBy=sockets.target
The socket group can be changed, but I could only set a group ID, not the name of the AD group, but it had the same effect.
You will need to reload the systemd daemon and restart the docker.socket systemd unit.
systemctl daemon-reload
systemctl restart docker.socket
It is possible I missed something, but I have done it once, so it is indeed possible to change the group of the socket.
I also have another way which does not require changing the SocketGroup and it will be in my next tutorial, but the English version will come later. The point is that you can create a script at /usr/local/bin/docker with this content:
#!/usr/bin/env sh
exec sudo /usr/bin/docker "$@"
And allow users in the group you have chosen to run sudo /usr/bin/docker without a password.
It requires creating /etc/sudoers.d/docker with this content:
%docker-sudo ALL=(root) NOPASSWD: /usr/bin/docker
Instead of %docker-sudo you would need to specify the AD group, but I don’t remember the correct syntax to specify an AD group. I think it should be either
%DOMAIN\\group ALL=(root) NOPASSWD: /usr/bin/docker
or
%group@domain ALL=(root) NOPASSWD: /usr/bin/docker
It is a little better than giving access to the docker socket directly, as then the user can do anyrhing without any traces, but if the user needs sudo, you will see each docker command in the auth log which is at /var/log/auth.log on debian systems and I don’t remember where is it on other systems so you will need to search for it if you have one of those systems.