Hi all,
I use SSSD with OpenLDAP and I am able to authenticate users.
I am trying to configure SSSD for managing and caching sudo but I can't use sudo and the system reply me with this:

Sorry, user xxx is not allowed to execute '/usr/bin/apt-get update' as root on MACHINE.

This is my sssd.conf


[nss]
filter_groups = root,andrea
filter_users = root,andrea
reconnection_retries = 3
debug_level = 4

[pam]
reconnection_retries = 3
debug_level = 4
offline_credentials_expiration = 90

[sudo]
debug_level = 7
# valori di default in secondi
#ldap_sudo_full_refresh_interval=21600
#ldap_sudo_smart_refresh_interval=900
ldap_sudo_full_refresh_interval=10
ldap_sudo_smart_refresh_interval=10

[sssd]
config_file_version = 2
reconnection_retries = 3
services = nss, pam, sudo
domains = mydomain.com

[domain/mydomain.com]
debug_level = 7
cache_credentials = true
account_cache_expiration = 90
# With this as false, a simple "getent passwd" for testing won't work. You must do getent passwd user@domain.com
# enumerate = false
enumerate = true

id_provider = ldap
auth_provider = ldap
access_provider = ldap
sudo_provider = ldap
# chpass_provider = ldap

ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

ldap_uri = ldap://LDAPSERVER
ldap_search_base = dc=mydomain,dc=com
ldap_access_filter = (uidNumber=*)
ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com


This is my nssswitch.conf

passwd:         compat sss
group:          compat sss
shadow:         compat sss
sudoers:        files sss


This is the log's output

tail -f /var/log/auth.log /var/log/sssd/sssd_sudo.log /var/log/sssd/sssd_widegroup.eu.log

==> /var/log/auth.log <==
Nov  8 15:50:46 andrea-X550LA sudo: pam_unix(sudo:auth): authentication failure; logname=MYUSER uid=1126 euid=0 tty=/dev/pts/7 ruser=MYUSER rhost=  user=MYUSER

==> /var/log/sssd/sssd_mydomain.com.log <==
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=MYUSER]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [dc=mydomain,dc=eu]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=MYUSER)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=mydomain,dc=eu].
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sshPublicKey]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=MYUSER,ou=people,dc=mydomain,dc=eu].
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Save user
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0][Success]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_primary_name] (0x0400): Processing object MYUSER
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Processing user MYUSER
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Original memberOf is not available for [MYUSER].
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): User principal is not available for [MYUSER].
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user] (0x0400): Storing info for user MYUSER
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_initgr_rfc2307_next_base] (0x0400): Searching for groups with base [dc=mydomain,dc=eu]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=MYUSER)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=mydomain,dc=eu].
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=netsudo,ou=groups,dc=mydomain,dc=eu].
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_initgr_done] (0x0400): Primary group already cached, nothing to do.
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Got request with the following data
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): domain: mydomain.com
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): user: MYUSER
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): service: sudo
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): tty: /dev/pts/7
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): ruser: MYUSER
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): rhost:
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): authtok type: 1
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): newauthtok type: 0
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): priv: 0
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): cli_pid: 7144
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): logon name: not set
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [get_server_status] (0x1000): Status of server 'LDAPSERVER' is 'working'
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [get_port_status] (0x1000): Port status of port 389 for server 'LDAPSERVER' is 'working'
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [get_server_status] (0x1000): Status of server 'LDAPSERVER' is 'working'
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server LDAPSERVER: [xxx.xxx.xxx.xxx] TTL 2222
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldap://LDAPSERVER'
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://LDAPSERVER:389/??base] with fd [24].
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_sys_connect_done] (0x0100): Executing START TLS
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_connect_done] (0x0080): START TLS result: Success(0), (null)
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'LDAPSERVER' as 'working'
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [set_server_common_status] (0x0100): Marking server 'LDAPSERVER' as 'working'
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'LDAPSERVER' as 'working'
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [simple_bind_send] (0x0100): Executing simple bind as: uid=MYUSER,ou=people,dc=mydomain,dc=eu
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [simple_bind_done] (0x1000): Password Policy Response: expire [-1] grace [-1] error [No error].
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [simple_bind_done] (0x0400): Bind result: Success(0), no errmsg set
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_pam_auth_done] (0x0100): Password successfully cached for MYUSER
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][mydomain.com]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][mydomain.com]

==> /var/log/auth.log <==
Nov  8 15:50:46 andrea-X550LA sudo: pam_sss(sudo:auth): authentication success; logname=MYUSER uid=1126 euid=0 tty=/dev/pts/7 ruser=MYUSER rhost= user=MYUSER

==> /var/log/sssd/sssd_mydomain.com.log <==
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [mydomain.com] to [mydomain.com]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler] (0x0100): Got request with the following data
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): domain: mydomain.com
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): user: MYUSER
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): service: sudo
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): tty: /dev/pts/7
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): ruser: MYUSER
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): rhost:
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): authtok type: 0
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): newauthtok type: 0
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): priv: 0
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): cli_pid: 7144
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): logon name: not set
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_access_send] (0x0400): Performing access check for user [MYUSER]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [MYUSER]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_access_filter_send] (0x0400): Checking filter against LDAP
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=MYUSER)(objectclass=posixAccount)(uidNumber=*))][uid=MYUSER,ou=people,dc=mydomain,dc=eu].
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=MYUSER,ou=people,dc=mydomain,dc=eu].
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_access_filter_done] (0x0400): Access granted by online lookup
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0400): SELinux provider doesn't exist, not sending the request to it.
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][mydomain.com]
(Wed Nov  8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][mydomain.com]

==> /var/log/auth.log <==
Nov  8 15:50:46 andrea-X550LA sudo: MYUSER : command not allowed ; TTY=pts/7 ; PWD=/home/MYUSER ; USER=root ; COMMAND=/usr/bin/apt-get update

==> /var/log/sssd/sssd_sudo.log <==
(Wed Nov  8 15:50:46 2017) [sssd[sudo]] [client_recv] (0x0200): Client disconnected!

Please, could you help me to understand what's wrong?


Many thanks in advance and any help is appreciated.

Regards.











Avvertenze ai sensi del D.Lgs.196 del 30/06/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o files allegati, sono da considerarsi strettamente riservati. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nello stesso. Costituisce violazione ai principi dettati dal D.Lgs. 196/2003: trattenere il messaggio stesso oltre il tempo necessario, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo od utilizzarlo per finalità diverse. In ogni momento potrà richiederci la sospensione dell'impiego dei suoi dati, ad esclusione delle comunicazioni effettuate in esecuzione di obblighi di legge. Qualora avesse ricevuto questo messaggio senza esserne il destinatario La preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso dal Suo sistema. Se desidera presentare un reclamo, può trovare informazioni e supporto sul nostro sito www.widegroup.eu/reclami​ o può scrivere a reclami@widegroup.eu. Grazie.

This message is confidential. It may also be privileged or otherwise protected by work, product, immunity or other legal rules. If you have received it by mistake, please let us know by e-mail reply and delete it from your system; you may not copy this message or disclose its contents to anyone. The integrity and security of this message cannot be guaranteed on the Internet. If you want to submit a formal complaint, you can find information and support on our website www.widegroup.eu/reclami​ or writing to reclami@widegroup.eu. Thank you.