So I’ve extended my AD and created a sudoRole in an OU, and can get it to work for a single user.  I can’t however get it to work with an AD group. 

 

I’ve tried %<adgroupname>, <adgroupname>, and +<adgroupname> all in the sudoUser attribute on the object, but cannot get it to use the group.  Getent group <adgroupname> returns members.  Reading the Sudoers LDAP Manual has this to say for sudoUser:

 

“A user name, user ID (prefixed with ‘#’), Unix group name or ID (prefixed with ‘%’ or ‘%#’ respectively), user netgroup (prefixed with ‘+’), or non-Unix group name or ID (prefixed with ‘%:’ or ‘%:#’ respectively). User netgroups are matched using the user and domain members only; the host member is not used when matching. Non-Unix group support is only available when an appropriate group_plugin is defined in the global defaults sudoRole object.”

 

So is it reasonable to assume the last sentence is tripping this up?  Does a group_plugin need to be defined in defaults? What group_plugin needs to be defined in defaults?  It all works fine with just a single user in the sudoUser attribute.  Once I replace it with %<adgroupname>, the same way I put it in the sudoers file manually, it fails to match the rule.

 

From sssd_sudo.log

 

When just my user is listed specifically in the sudoUser attribute in the sudoRole object in AD:

 

[sudosrv_get_sudorules_query_cache] (0x0200):Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=myaduser)(sudoUser=#1165)(sudoUser=%Domain\20Users)(sudoUser=%<adgroupname1>)(sudoUser=%<adgroupname2>)(sudoUser=%<adgroupnameiwanttouse>) …

[sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic

[sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [myaduser@mydomain.com]

 

When a group my user is in, is in the sudoUser attribute in the sudoRole object in AD:

 

[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=myaduser)(sudoUser=#1165)(sudoUser=%Domain\20Users)(sudoUser=%<adgroupname1>)(sudoUser=%<adgroupname2>)(sudoUser=%<adgroupnameiwanttouse>) …

[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [myaduser@mydomain.com]

 

I’ve tried matching case with the filter that’s in sssd_sudo.log, I’ve tried matching case from id $user, nothing seems to work but listing my user account specifically.  Is there some magic to getting AD groups to work with SUDO LDAP objects?

 

Todd