Hi
I an trying to get sudo with sssd work with Samba4 provider, but I can't. I have joined the domain using realmd:
realm --client-software=sssd join
mmdd.indra.esAfter that, I have modified some sssd settings, to add sudo service, enable enumerate (during debigging), etc.:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[sssd]
domains =
xxxx.yyyy.esconfig_file_version = 2
services = nss, pam, sudo, ssh
[sudo]
[ssh]
[domain/
xxxx.yyyy.es]
enumerate = True
ad_domain =
xxxx.yyyy.eskrb5_realm =
XXXX.YYYY.ESrealmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
case_sensitive = false
ldap_user_ssh_public_key = sshPublicKey
sudo_provider = ldap
ldap_sudo_search_base = OU=SUDOers,DC=xxxx,DC=yyyy,DC=es
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Enabled and restarted sssd, oddjob. Now I see users and group using getent, and I can login to the client using SSH.
Then, added to Samba4 the OU=SUDOers tree:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
dn: OU=SUDOers,DC=xxxx,DC=yyyy,DC=es
objectClass: organizationalUnit
objectClass: top
ou: SUDOers
name: SUDOers
dn: CN=wheel,OU=SUDOers,DC=xxxx,DC=yyyy,DC=es
objectClass: sudoRole
objectClass: top
cn: wheel
name: wheel
sudoCommand: ALL
sudoHost: ALL
sudoUser: %wheel
dn: CN=root,OU=SUDOers,DC=xxxx,DC=yyyy,DC=es
objectClass: sudoRole
objectClass: top
cn: root
name: root
sudoCommand: ALL
sudoHost: ALL
sudoUser: root
dn: CN=sysadm,OU=SUDOers,DC=xxxx,DC=yyyy,DC=es
objectClass: sudoRole
objectClass: top
cn: sysadm
name: sysadm
sudoCommand: ALL
sudoHost: ALL
sudoUser: %sysadm
dn: CN=defaults,OU=SUDOers,DC=xxxx,DC=yyyy,DC=es
objectClass: sudoRole
objectClass: top
cn: defaults
description: Default sudoOptions go here
distinguishedName: CN=defaults,OU=SUDOers,DC=xxxx,DC=yyyy,DC=es
name: defaults
sudoOption: env_keep+=SSH_AUTH_SOCK
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I have a user that is member of the sysadm group (I show only relevant information):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
dn: CN=My Full Name,OU=Usuarios,DC=xxxx,DC=yyyy,DC=es
objectClass: posixAccount
sAMAccountName: jasensios
gidNumber: 10004
loginShell: /bin/bash
memberOf: CN=sysadm,OU=Grupos,DC=mmdd,DC=indra,DC=es
msSFU30Name: jasensios
msSFU30NisDomain: xxxx
msSFU30PosixMemberOf: CN=sysadm,OU=Grupos,DC=xxxx,DC=yyyy,DC=es
uid: jasensios
uidNumber: 10000
unixHomeDirectory: /home/jasensios
dn: CN=sysadm,OU=Grupos,DC=xxxx,DC=yyyy,DC=es
objectClass: posixGroup
cn: sysadm
sAMAccountName: sysadm
gidNumber: 10014
member:
memberUid: jasensios
msSFU30Name: sysadm
msSFU30NisDomain: xxxx
msSFU30PosixMember: CN=My Full Name,OU=Usuarios,DC=xxxx,DC=yyyy,DC=es
name: sysadm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
uid=10000(jasensios) gid=10004(domain users) grupos=10004(domain users),10005(sysadm_pro),10014(sysadm)