I've been following Jakub's useful blog post, attempting to get sudo
rules into our Active Directory, and usable by sudo via SSSD.
I've managed the schema extension, and built a rule, but whatever I've
tried I've not managed to get the rule to apply.
When I run "sudo -l" as the user should have received a sudo rule I get the
[_johnbadm@sudotest ~]$ sudo -l
[sudo] password for _johnbadm:
Sorry, user _johnbadm may not run sudo on sudotest.
However, there *is* a rule in the SSSD db:
[root@sudotest ~]# ldbsearch -H /var/lib/sss/db/cache_AD.ldb
asq: Unable to register control with rootdse!
# record 1
# returned 1 records
# 1 entries
# 0 referrals
I'm running CentOS 6.8, with SSSD 1.13.3-22.el6.
[root@sudotest ~]# grep sudo /etc/nsswitch.conf
sudoers: files sss
[root@sudotest ~]# grep sudo /etc/sssd/sssd.conf
services = nss, pam, sudo
I turned on debug for the SSSD sudo service, and get:
Just read the debug again, and had a hunch around case sensitivity...
When I change the sudo rule to have:
it works. Surely the matching of rules should be case insensitive,
shouldn't it? The username form "_johnbADM" presumably works because the
user's sAMAccountName is the form with the mixed case, which you can see in
the SSSD DB:
# record 25
fullName: John Beranek ADM
gecos: John Beranek ADM