I'm trying to configure a domain in SSSD to both perform all the usual AD authentication wizardry, and at the same time perform LDAP Sudo lookup in the directory too. The AD schema has been extended.
It seems it doesn't like both LDAP and AD directives in the same domain, but doesn't Sudo require LDAP and not AD? I know that's how it works for IPA.
Has anyone gotten this working? I'm scratching my head. It works without the sudo bit.
[sssd]
services = nss,pam,sudo
config_file_version = 2
debug_level = 3
[nss]
filter_groups = root
filter_users = root
[sudo]
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
# This is for testing
enumerate = true
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
# These values should auto-detect, but to be sure...
# Provide default values for the Unix specifics
fallback_homedir = /home/%u
default_shell = /bin/bash
# LDAP SUDO must be done the old fashioned way
sudo_provider = ldap
# Provide LDAP params
ldap_sudo_search_base = OU=SUDOers,DC=ad,DC=example,DC=com
ldap_sudo_full_refresh_interval=86400
ldap_sudo_smart_refresh_interval=300
# Configure Machine Authentication
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = client$ #Yes, I tried host/client
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
ldap_krb5_ticket_lifetime = 86400