Hi

I an trying to get sudo with sssd work with Samba4 provider, but I can't. I have joined the domain using realmd:

realm --client-software=sssd join mmdd.indra.es

After that, I have modified some sssd settings, to add sudo service, enable enumerate (during debigging), etc.:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[sssd]
domains = xxxx.yyyy.es
config_file_version = 2
services = nss, pam, sudo, ssh

[sudo]

[ssh]

[domain/xxxx.yyyy.es]
enumerate = True
ad_domain = xxxx.yyyy.es
krb5_realm = XXXX.YYYY.ES
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
case_sensitive = false

ldap_user_ssh_public_key = sshPublicKey

sudo_provider = ldap
ldap_sudo_search_base = OU=SUDOers,DC=xxxx,DC=yyyy,DC=es
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Enabled and restarted sssd, oddjob. Now I see users and group using getent, and I can login to the client using SSH.

Then, added to Samba4 the OU=SUDOers tree:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
dn: OU=SUDOers,DC=xxxx,DC=yyyy,DC=es
objectClass: organizationalUnit
objectClass: top
ou: SUDOers
name: SUDOers

dn: CN=wheel,OU=SUDOers,DC=xxxx,DC=yyyy,DC=es
objectClass: sudoRole
objectClass: top
cn: wheel
name: wheel
sudoCommand: ALL
sudoHost: ALL
sudoUser: %wheel

dn: CN=root,OU=SUDOers,DC=xxxx,DC=yyyy,DC=es
objectClass: sudoRole
objectClass: top
cn: root
name: root
sudoCommand: ALL
sudoHost: ALL
sudoUser: root

dn: CN=sysadm,OU=SUDOers,DC=xxxx,DC=yyyy,DC=es
objectClass: sudoRole
objectClass: top
cn: sysadm
name: sysadm
sudoCommand: ALL
sudoHost: ALL
sudoUser: %sysadm

dn: CN=defaults,OU=SUDOers,DC=xxxx,DC=yyyy,DC=es
objectClass: sudoRole
objectClass: top
cn: defaults
description: Default sudoOptions go here
distinguishedName: CN=defaults,OU=SUDOers,DC=xxxx,DC=yyyy,DC=es
name: defaults
sudoOption: env_keep+=SSH_AUTH_SOCK
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I have a user that is member of the sysadm group (I show only relevant information):

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
dn: CN=My Full Name,OU=Usuarios,DC=xxxx,DC=yyyy,DC=es
objectClass: posixAccount
sAMAccountName: jasensios
gidNumber: 10004
loginShell: /bin/bash
memberOf: CN=sysadm,OU=Grupos,DC=mmdd,DC=indra,DC=es
msSFU30Name: jasensios
msSFU30NisDomain: xxxx
msSFU30PosixMemberOf: CN=sysadm,OU=Grupos,DC=xxxx,DC=yyyy,DC=es
uid: jasensios
uidNumber: 10000
unixHomeDirectory: /home/jasensios

dn: CN=sysadm,OU=Grupos,DC=xxxx,DC=yyyy,DC=es
objectClass: posixGroup
cn: sysadm
sAMAccountName: sysadm
gidNumber: 10014
member:
memberUid: jasensios
msSFU30Name: sysadm
msSFU30NisDomain: xxxx
msSFU30PosixMember: CN=My Full Name,OU=Usuarios,DC=xxxx,DC=yyyy,DC=es
name: sysadm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

After loging with user in the client:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[jasensios@client01 ~]$ id
uid=10000(jasensios) gid=10004(domain users) grupos=10004(domain users),10005(sysadm_pro),10014(sysadm)
[jasensios@client01 ~]$ groups
domain users sysadm
[jasensios@client01 ~]$ getent passwd jasensios
jasensios:*:10000:10004:My Full Name:/home/jasensios:/bin/bash
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

But....

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[jasensios@client01 ~]$ sudo -l
[sudo] password for jasensios:
User jasensios is not allowed to run sudo on client01.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Any advice?