How to add domain group to local docker group

I am wondering is there is a way to add a domain group to the local docker group instead of adding only local users to the group.

The linux machine is already added to the domain and I can verify that AD groups are accessible using the following command: getent group “domain\group_name”

I also have the domain group in the /etc/group: docker:x:998:“domain\domain_group”

I still get a permissions error when I run docker info command. however if I only include the local user instead of the domain_group in the docker file, it works fine. Any help would be appreciated!

Groups on Linux cannot be nested. You can add a user to a group but can’t add a group to another group.

You can on the other hand change Docker’s setting and use your AD group instead of the local.

cat /etc/systemd/system/


Description=Docker Socket for the API



The socket group can be changed, but I could only set a group ID, not the name of the AD group, but it had the same effect.

You will need to reload the systemd daemon and restart the docker.socket systemd unit.

systemctl daemon-reload
systemctl restart docker.socket

It is possible I missed something, but I have done it once, so it is indeed possible to change the group of the socket.

I also have another way which does not require changing the SocketGroup and it will be in my next tutorial, but the English version will come later. The point is that you can create a script at /usr/local/bin/docker with this content:

#!/usr/bin/env sh

exec sudo /usr/bin/docker "$@"

And allow users in the group you have chosen to run sudo /usr/bin/docker without a password.
It requires creating /etc/sudoers.d/docker with this content:

%docker-sudo ALL=(root) NOPASSWD: /usr/bin/docker

Instead of %docker-sudo you would need to specify the AD group, but I don’t remember the correct syntax to specify an AD group. I think it should be either

%DOMAIN\\group ALL=(root) NOPASSWD: /usr/bin/docker


%group@domain ALL=(root) NOPASSWD: /usr/bin/docker

It is a little better than giving access to the docker socket directly, as then the user can do anyrhing without any traces, but if the user needs sudo, you will see each docker command in the auth log which is at /var/log/auth.log on debian systems and I don’t remember where is it on other systems so you will need to search for it if you have one of those systems.


Thank you so much for walking me though this. That helped a lot. I was able to get it to work following your steps. One thing I had to add is to include the AD group to the sudoers file.
I appreciate your help!!