I have an active directory domain with a handful of linux servers that interact with AD through sssd. I want to have a different sudoers configuration on different servers, and I know this can be done through netgroups. So far, I've managed to get some servers into a netgroup by adding a nisNetgroup object in AD, and adding servers to the nisNetgroupTriple attribute on that object (and setting the ldap_netgroup_search_base option in sssd.conf). As a result, I can query the netgroup successfully on the linux servers using getent:
$ getent netgroup <name>
<name> (<server>.<domain>,,)
Changing netgroup membership is done by modifying the nisNetgroupTriple attribute of the nisNetgroup object. This means a user with permission to modify the object can put any server into the netgroup. I would like to lock this down further, for example by using a standard AD group, where a user would need to have permission to modify the group and the computer account in order to add the computer to the group. Is it possible to have sssd use a standard AD group as a netgroup?
