Thanks Galen for your help.

This is the output of the sssd_sudo.log and sssd_domain.log when I try a sudo command.
The debug is set to 7.
I don't post now the sudo_debug.log because it's very long. If it could be useful I can try to post it also later.


==> sssd_sudo.log <==
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected!
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'MYUSER' matched without domain, user is MYUSER
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'MYUSER' matched without domain, user is MYUSER
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [MYUSER] from [<ALL>]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [MYUSER@MYDOMAIN.COM]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [MYUSER@MYDOMAIN.COM]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [MYUSER] from [MYDOMAIN.COM]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=MYUSER)(sudoUser=#1126)(sudoUser=%SystemAdmin)(sudoUser=%MYUSER)(sudoUser=+*))(&(dataExpireTimestamp<=1510329679)))]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [<default options>@MYDOMAIN.COM]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'MYUSER' matched without domain, user is MYUSER
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'MYUSER' matched without domain, user is MYUSER
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [MYUSER] from [<ALL>]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [MYUSER@MYDOMAIN.COM]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [MYUSER@MYDOMAIN.COM]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [MYUSER] from [MYDOMAIN.COM]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=MYUSER)(sudoUser=#1126)(sudoUser=%SystemAdmin)(sudoUser=%MYUSER)(sudoUser=+*))(&(dataExpireTimestamp<=1510329679)))]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=MYUSER)(sudoUser=#1126)(sudoUser=%SystemAdmin)(sudoUser=%MYUSER)(sudoUser=+*)))]
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic
(Fri Nov 10 17:01:19 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [MYUSER@MYDOMAIN.COM]

==> sssd_MYDOMAIN.COM.log <==
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=MYUSER]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_req_set_domain] (0x0400): Changing request domain from [MYDOMAIN.COM] to [MYDOMAIN.COM]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [dc=MYDOMAIN,dc=COM]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=MYUSER)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=MYDOMAIN,dc=COM].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sshPublicKey]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=MYUSER,ou=people,dc=MYDOMAIN,dc=COM].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_save_user] (0x0400): Save user
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0][Success]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_primary_name] (0x0400): Processing object MYUSER
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_save_user] (0x0400): Processing user MYUSER
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_save_user] (0x0400): Original memberOf is not available for [MYUSER].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_save_user] (0x0400): User principal is not available for [MYUSER].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_save_user] (0x0400): Storing info for user MYUSER
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_initgr_rfc2307_next_base] (0x0400): Searching for groups with base [dc=MYDOMAIN,dc=COM]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberuid=MYUSER)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=MYDOMAIN,dc=COM].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=SystemAdmin,ou=groups,dc=MYDOMAIN,dc=COM].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_initgr_done] (0x0400): Primary group already cached, nothing to do.
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_req_set_domain] (0x0400): Changing request domain from [MYDOMAIN.COM] to [MYDOMAIN.COM]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_pam_handler] (0x0100): Got request with the following data
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): domain: MYDOMAIN.COM
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): user: MYUSER
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): service: sudo
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): tty: /dev/pts/4
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): ruser: MYUSER
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): rhost:
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): authtok type: 1
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): newauthtok type: 0
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): priv: 0
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): cli_pid: 30273
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): logon name: not set
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [get_server_status] (0x1000): Status of server 'LDAPSERVER' is 'working'
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [get_port_status] (0x1000): Port status of port 389 for server 'LDAPSERVER' is 'working'
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [get_server_status] (0x1000): Status of server 'LDAPSERVER' is 'working'
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_resolve_server_process] (0x1000): Saving the first resolved server
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_resolve_server_process] (0x0200): Found address for server LDAPSERVER: [XXX.XXX.XXX.XXX] TTL 2994
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldap://LDAPSERVER'
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://LDAPSERVER:389/??base] with fd [24].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_sys_connect_done] (0x0100): Executing START TLS
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_connect_done] (0x0080): START TLS result: Success(0), (null)
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'LDAPSERVER' as 'working'
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [set_server_common_status] (0x0100): Marking server 'LDAPSERVER' as 'working'
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'LDAPSERVER' as 'working'
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [simple_bind_send] (0x0100): Executing simple bind as: uid=MYUSER,ou=people,dc=MYDOMAIN,dc=COM
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [simple_bind_done] (0x1000): Password Policy Response: expire [-1] grace [-1] error [No error].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [simple_bind_done] (0x0400): Bind result: Success(0), no errmsg set
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_pam_auth_done] (0x0100): Password successfully cached for MYUSER
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_pam_handler_callback] (0x0100): Sending result [0][MYDOMAIN.COM]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_pam_handler_callback] (0x0100): Sent result [0][MYDOMAIN.COM]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_req_set_domain] (0x0400): Changing request domain from [MYDOMAIN.COM] to [MYDOMAIN.COM]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_pam_handler] (0x0100): Got request with the following data
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): domain: MYDOMAIN.COM
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): user: MYUSER
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): service: sudo
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): tty: /dev/pts/4
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): ruser: MYUSER
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): rhost:
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): authtok type: 0
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): newauthtok type: 0
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): priv: 0
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): cli_pid: 30273
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [pam_print_data] (0x0100): logon name: not set
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_access_send] (0x0400): Performing access check for user [MYUSER]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [MYUSER]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_access_filter_send] (0x0400): Checking filter against LDAP
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=MYUSER)(objectclass=posixAccount)(uidNumber=*))][uid=MYUSER,ou=people,dc=MYDOMAIN,dc=COM].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=MYUSER,ou=people,dc=MYDOMAIN,dc=COM].
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [sdap_access_filter_done] (0x0400): Access granted by online lookup
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_pam_handler_callback] (0x0400): SELinux provider doesn't exist, not sending the request to it.
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_pam_handler_callback] (0x0100): Sending result [0][MYDOMAIN.COM]
(Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]] [be_pam_handler_callback] (0x0100): Sent result [0][MYDOMAIN.COM]

==> sssd_sudo.log <==
(Fri Nov 10 17:01:22 2017) [sssd[sudo]] [client_recv] (0x0200): Client disconnected!

According with Lukas's link:

a) SSSD sudo responder – sssd_sudo.log:
There is this line: [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [MYUSER@MYDOMAIN.COM]

There is also this line: [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=MYUSER)(sudoUser=#1126)(sudoUser=%SystemAdmin)(sudoUser=%MYUSER)(sudoUser=+*)))]

b) SSSD domain – sssd_$domain.log

There is not this line: sdap_sudo_refresh_load_done
There is not this line: sysdb_save_sudorule
There is not this line: sdap_sudo_refresh_load_done

There is this line: [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=MYUSER)(objectclass=posixAccount)(uidNumber=*))][uid=MYUSER,ou=people,dc=MYDOMAIN,dc=COM]
BUT it doesn't look for sudo information but only about uid...

Could be this the problem?

Thanks all for the hints.

Andrea




2017-11-10 14:47 GMT+01:00 Galen Johnson <solitaryr@gmail.com>:
I've not set this up but it looks as though you have the system configured correctly to leverage sssd.  At this point, it looks like you may want to ask on the sudoers list what needs to be done on the ldap side as well.  Also, the link Lukas pointed to may help.  Looking at the original log snippets provided, I see no reference to the ldap_sudo_search_base string.  I would have expected to see a search request for sudo like you see for other queries.  This is stretching my expertise at this point.  If it were me, I would focus on the ldap pieces now and figure out a) is the ldap config correct (ldapsearch is your friend here) and b) what I may have misconfigured in the sssd ldap configs.  In general, I tend to bump the debug up to 10 (sss_debug is helpful), run a quick test, then drop the debug back down so I can minimize the noise.

=G=

On Fri, Nov 10, 2017 at 8:17 AM, Andrea Passuello <andrea.passuello@widegroup.eu> wrote:
Thanks for the hint.

Ok the output is this

$ sudo sudo --version | grep sssd
Configure options: --prefix=/usr -v --with-all-insults --with-pam --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor --with-editor=/usr/bin/editor --with-exampledir=/usr/share/doc/sudo/examples --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p:  --without-lecture --with-tty-tickets --disable-root-mailer --enable-admin-flag --with-sendmail=/usr/sbin/sendmail --with-rundir=/var/run/sudo --mandir=/usr/share/man --libexecdir=/usr/lib/sudo --with-sssd --with-sssd-lib=/usr/lib/x86_64-linux-gnu --with-selinux --with-linux-audit


Is it ok?

What can I check now?









2017-11-10 13:58 GMT+01:00 Galen Johnson <solitaryr@gmail.com>:
Try 'sudo sudo --version'.  I got the same output as you until I ran sudo --version with root privs.

=G=

On Fri, Nov 10, 2017 at 3:45 AM, Andrea Passuello <andrea.passuello@widegroup.eu> wrote:
Thanks for the answers.

# dpkg -l | grep sudo
ii  libsss-sudo                                                 1.13.4-1ubuntu1.8                                           amd64        Communicator library for sudo
ii  sudo                                                        1.8.16-0ubuntu1.5                                           amd64        Provide limited super user privileges to specific users

I don't have sudo-ldap installed.

# sudo --version | grep sssd
doesn't return anything

# sudo --version
Sudo version 1.8.16
Sudoers policy plugin version 1.8.16
Sudoers file grammar version 45
Sudoers I/O plugin version 1.8.16

What do I miss?

Thanks a lot.









2017-11-09 21:45 GMT+01:00 Michael Ströder <michael@stroeder.com>:
Lukas Slebodnik wrote:
> On (08/11/17 16:01), Andrea Passuello wrote:
>> Hi all,
>> I use SSSD with OpenLDAP and I am able to authenticate users.
>> I am trying to configure SSSD for managing and caching sudo but I can't use
>> sudo and the system reply me with this:
>>
>> Sorry, user xxx is not allowed to execute '/usr/bin/apt-get update' as root
>> on MACHINE.
>>
> A) ensure that you have right version of sudo installed on debian/ubuntu
>    It need to be compiled with sssd support
>    sudo --version | grep sssd
For whatever reason Debian has to different sudo packages:
sudo - Provide limited super user privileges to specific users
sudo-ldap - Provide limited super user privileges to specific users

For "sudoers: sss" in nsswitch.conf you need package "sudo" and *not*
"sudo-ldap" even if you have your sudoers entries in LDAP directory.

Ciao, Michael.


_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org



Avvertenze ai sensi del D.Lgs.196 del 30/06/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o files allegati, sono da considerarsi strettamente riservati. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nello stesso. Costituisce violazione ai principi dettati dal D.Lgs. 196/2003: trattenere il messaggio stesso oltre il tempo necessario, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo od utilizzarlo per finalità diverse. In ogni momento potrà richiederci la sospensione dell'impiego dei suoi dati, ad esclusione delle comunicazioni effettuate in esecuzione di obblighi di legge. Qualora avesse ricevuto questo messaggio senza esserne il destinatario La preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso dal Suo sistema. Se desidera presentare un reclamo, può trovare informazioni e supporto sul nostro sito www.widegroup.eu/reclami​ o può scrivere a reclami@widegroup.eu. Grazie.

This message is confidential. It may also be privileged or otherwise protected by work, product, immunity or other legal rules. If you have received it by mistake, please let us know by e-mail reply and delete it from your system; you may not copy this message or disclose its contents to anyone. The integrity and security of this message cannot be guaranteed on the Internet. If you want to submit a formal complaint, you can find information and support on our website www.widegroup.eu/reclami​ or writing to reclami@widegroup.eu. Thank you.

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org



_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org



Avvertenze ai sensi del D.Lgs.196 del 30/06/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o files allegati, sono da considerarsi strettamente riservati. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nello stesso. Costituisce violazione ai principi dettati dal D.Lgs. 196/2003: trattenere il messaggio stesso oltre il tempo necessario, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo od utilizzarlo per finalità diverse. In ogni momento potrà richiederci la sospensione dell'impiego dei suoi dati, ad esclusione delle comunicazioni effettuate in esecuzione di obblighi di legge. Qualora avesse ricevuto questo messaggio senza esserne il destinatario La preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso dal Suo sistema. Se desidera presentare un reclamo, può trovare informazioni e supporto sul nostro sito www.widegroup.eu/reclami​ o può scrivere a reclami@widegroup.eu. Grazie.

This message is confidential. It may also be privileged or otherwise protected by work, product, immunity or other legal rules. If you have received it by mistake, please let us know by e-mail reply and delete it from your system; you may not copy this message or disclose its contents to anyone. The integrity and security of this message cannot be guaranteed on the Internet. If you want to submit a formal complaint, you can find information and support on our website www.widegroup.eu/reclami​ or writing to reclami@widegroup.eu. Thank you.

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org



_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org



Avvertenze ai sensi del D.Lgs.196 del 30/06/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o files allegati, sono da considerarsi strettamente riservati. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nello stesso. Costituisce violazione ai principi dettati dal D.Lgs. 196/2003: trattenere il messaggio stesso oltre il tempo necessario, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo od utilizzarlo per finalità diverse. In ogni momento potrà richiederci la sospensione dell'impiego dei suoi dati, ad esclusione delle comunicazioni effettuate in esecuzione di obblighi di legge. Qualora avesse ricevuto questo messaggio senza esserne il destinatario La preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso dal Suo sistema. Se desidera presentare un reclamo, può trovare informazioni e supporto sul nostro sito www.widegroup.eu/reclami​ o può scrivere a reclami@widegroup.eu. Grazie.

This message is confidential. It may also be privileged or otherwise protected by work, product, immunity or other legal rules. If you have received it by mistake, please let us know by e-mail reply and delete it from your system; you may not copy this message or disclose its contents to anyone. The integrity and security of this message cannot be guaranteed on the Internet. If you want to submit a formal complaint, you can find information and support on our website www.widegroup.eu/reclami​ or writing to reclami@widegroup.eu. Thank you.