0

I'm trying to configure nsswitch to use sudoers: files sss which is default for rhel9 system, however this does not work for me, but the following sudoers: files ldap does indeed work.

What am I missing for SSSD to work?

I can successfully log into instances using my account, however I'm not allowed to use sudo even tho sudoCommand: ALL

$ ldapsearch -H ldap://ipa.example.com -b ou=sudoers,dc=example,dc=com -ZZ '(&(objectClass=sudoRole))' -x
# allow_all, sudoers, EXAMPLE.COM
dn: cn=allow_all,ou=sudoers,dc=EXAMPLE,dc=COM
objectClass: sudoRole
objectClass: top
sudoUser: %host-admin
sudoHost: ALL
sudoCommand: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
cn: allow_all


$ id admin
uid=6666(admin),1234(host-admins)

sssd.conf

[domain/default]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ipa.example.com
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = True
ldap_schema = rfc2307bis
ldap_sudo_include_regexp = true
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_reqcert = allow

[sssd]
services = nss, pam, sudo
domains = default

[nss]
homedir_substring = /home

[pam]

[sudo]
debug_level = 7

nsswitch.conf

sudoers: files sss <--- Does not work

sudoers: files ldap <--- Does work
N. J
  • 131
  • 5

1 Answers1

0

I am going to guess that host-admin[s] is a local group on the server rather than an LDAP group.

SSSD deliberately ignores LDAP "sudoers" entries that refer to host-local groups. If I remember correctly, it only accepts entries that refer to groups within the same SSSD "domain".

If you want different hosts to have different administrators, you could instead store the authorized user names directly in your LDAP sudoers rule (the sudoUser attribute is multi-valued), using sudoHost to limit the role to a specific host (or set of hosts), and creating a new role for each set of hosts that needs a different list of administrators.

Alternatively, you could use NIS-style netgroups in LDAP (which use the nisNetgroup objectClass and contain a list of (host,user,[nisdomain]) triples), or you could avoid LDAP entirely and deploy /etc/sudoers.d/ as a regular file via Salt/Ansible (which can then refer to any group or NIS netgroup known to nsswitch).

user1686
  • 10,162
  • 1
  • 26
  • 42
  • `host-admins` is in fact an LDAP group. Any idea why it works directly with ldap in `nsswitch` and not with sssd even though the SSSD is configured? – N. J Mar 21 '23 at 09:05