I've been following Jakub's useful blog post[1], attempting to get sudo rules into our Active Directory, and usable by sudo via SSSD.
I've managed the schema extension, and built a rule, but whatever I've tried I've not managed to get the rule to apply.
When I run "sudo -l" as the user should have received a sudo rule I get the following:
[_johnbadm@sudotest ~]$ sudo -l
[sudo] password for _johnbadm:
Sorry, user _johnbadm may not run sudo on sudotest.
However, there is a rule in the SSSD db:
[root@sudotest ~]# ldbsearch -H /var/lib/sss/db/cache_AD.ldb '(objectClass=sudoRule)'
asq: Unable to register control with rootdse!
# record 1
dn: name=lessrule,cn=sudorules,cn=custom,cn=AD,cn=sysdb
cn: lessrule
dataExpireTimestamp: 1475513295
entryUSN: 17309854
name: lessrule
objectClass: sudoRule
originalDN: CN=lessrule,OU=sudoers,DC=example,DC=com
sudoCommand: /usr/bin/less
sudoHost: ALL
sudoRunAsUser: ALL
sudoUser: _johnbadm
distinguishedName: name=lessrule,cn=sudorules,cn=custom,cn=AD,cn=sysdb
# returned 1 records
# 1 entries
# 0 referrals
I'm running CentOS 6.8, with SSSD 1.13.3-22.el6.
[root@sudotest ~]# grep sudo /etc/nsswitch.conf
sudoers: files sss
[root@sudotest ~]# grep sudo /etc/sssd/sssd.conf
services = nss, pam, sudo
I turned on debug for the SSSD sudo service, and get:
Just read the debug again, and had a hunch around case sensitivity...
When I change the sudo rule to have:
sudoUser: _johnbADM
instead of:
sudoUser: _johnbadm
it works. Surely the matching of rules should be case insensitive, shouldn't it? The username form "_johnbADM" presumably works because the AD user's sAMAccountName is the form with the mixed case, which you can see in the SSSD DB:
# record 25
dn: name=_johnbADM,cn=users,cn=AD,cn=sysdb
createTimestamp: 1475573234
fullName: John Beranek ADM
gecos: John Beranek ADM
Thoughts?
John
--