Nsswitch - sudoers sss vs ldap what am I missing

N. J

3/20/24, 3:07 PM

I'm trying to configure nsswitch to use sudoers: files sss which is default for rhel9 system, however this does not work for me, but the following sudoers: files ldap does indeed work.

What am I missing for SSSD to work?

I can successfully log into instances using my account, however I'm not allowed to use sudo even tho sudoCommand: ALL

$ ldapsearch -H ldap://ipa.example.com -b ou=sudoers,dc=example,dc=com -ZZ '(&(objectClass=sudoRole))' -x
# allow_all, sudoers, EXAMPLE.COM
dn: cn=allow_all,ou=sudoers,dc=EXAMPLE,dc=COM
objectClass: sudoRole
objectClass: top
sudoUser: %host-admin
sudoHost: ALL
sudoCommand: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
cn: allow_all


$ id admin
uid=6666(admin),1234(host-admins)

sssd.conf

[domain/default]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ipa.example.com
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = True
ldap_schema = rfc2307bis
ldap_sudo_include_regexp = true
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_reqcert = allow

[sssd]
services = nss, pam, sudo
domains = default

[nss]
homedir_substring = /home

[pam]

[sudo]
debug_level = 7

nsswitch.conf

sudoers: files sss <--- Does not work

sudoers: files ldap <--- Does work

330

1 + 0

openldap

ldap

sudo

sssd

rhel9

Score:0

Server

user1686

3/21/24, 9:01 AM

I am going to guess that host-admin[s] is a local group on the server rather than an LDAP group.

SSSD deliberately ignores LDAP "sudoers" entries that refer to host-local groups. If I remember correctly, it only accepts entries that refer to groups within the same SSSD "domain".

If you want different hosts to have different administrators, you could instead store the authorized user names directly in your LDAP sudoers rule (the sudoUser attribute is multi-valued), using sudoHost to limit the role to a specific host (or set of hosts), and creating a new role for each set of hosts that needs a different list of administrators.

Alternatively, you could use NIS-style netgroups in LDAP (which use the nisNetgroup objectClass and contain a list of (host,user,[nisdomain]) triples), or you could avoid LDAP entirely and deploy /etc/sudoers.d/ as a regular file via Salt/Ansible (which can then refer to any group or NIS netgroup known to nsswitch).

+ 1

N. J

3/21/24, 9:05 AM

`host-admins` is in fact an LDAP group. Any idea why it works directly with ldap in `nsswitch` and not with sssd even though the SSSD is configured?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Nsswitch - sudoers sss vs ldap what am I missing

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.