Note
While making this post I managed to find the problem myself so I thought I might as well post in case it may help someone else later on. The problem was that I had a typo in /etc/nsswitch.conf, I had written suduers and not sudoers
The sudoers: entry wasn't there from the beginning so I had to add it, hence the typo. One more thing was that the package libsss-sudo wasn't installed either, which was needed.
Post
I have my Linux-servers joined to my AD with SSSD like this:
apt-get install sssd-ad sssd-tools realmd adcli krb5-user libsss-sudo
realm join -U Administrator domain.local
I can logon with my AD-users just fine but now I want to manage the sudo-rules in AD too.
I extended the AD scheme like this on my AD-server:
> wget https://github.com/sudo-project/sudo/blob/main/docs/schema.ActiveDirectory -o schema.ActiveDirectory
I changed all the DC=X entries with DC=domain,DC=local and then ran:
> ldifde -i -f schema.ActiveDirectory
So far so good. I created a OU where I want all my sudo-rules:
OU=Sudo-rules,OU=Linux Servers,OU=Computers,OU=Company,DC=domain,DC=local
In the OU Sudo-rules I created an object with the sudoRole class, named it LinuxAdminsSudo and edited the following attributes:
sudoCommand: ALL
sudoHost: ALL
sudoRunAs: ALL
sudoUser: %[email protected]
The [email protected] is an AD-group where all the Linux-admins are members and I want them to get full sudo-access to all Linux-servers.
This is my /etc/sssd/sssd.conf:
[sssd]
domains = domain.local
config_file_version = 2
services = nss, pam, sudo
[domain/domain.local]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = DOMAIN.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%d/%u
ad_domain = domain.local
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
sudo_provider = ad
[sudo]
In /etc/nsswitch.conf I added:
sudoers: sss files
Clear cache for SSSD and restart:
sss_cache -E
systemctl restart sssd
Now I login with a user that's in the LinuxAdmins-group and when I run sudo -l I get this:
Sorry, user [email protected] may not run sudo on linux-host1.
So I'm not allowed to run sudo at all even though the rule in AD should allow this.
When checking the SSSD cache I can see that it has indeed retrieved the rule:
ldbsearch -H /var/lib/sss/db/cache_domain.local.ldb
I found this entry:
# record 28
dn: name=LinuxAdminsSudo,cn=sudorules,cn=custom,cn=domain.local,cn=sysdb
cn: LinuxAdminsSudo
dataExpireTimestamp: 1699953662
entryUSN: 65897179
name: LinuxAdminsSudo
objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=domain,DC=local
objectClass: sudoRule
originalDN: CN=LinuxAdminsSudo,OU=Sudo-rules,OU=Linux Servers,OU=Computers,OU=Company,DC=domain,DC=local
sudoCommand: ALL
sudoHost: ALL
sudoRunAs: ALL
sudoUser: %[email protected]
distinguishedName: name=LinuxAdminsSudo,cn=sudorules,cn=custom,cn=domain.local,cn=sysdb
Which indicates that it can retrieve the rule just fine from AD.
And everything was just fine, I had just made a typo in /etc/nsswitch.conf stated in the beginning of the post.
