Hi,
Ive joined an AD domain with sssd. Mostly everything work. But I can’t get the sudoers permissions to work.
For testing I’ve tried the Domain Users group. But its not working.
I can getent passwd and getent group with the group name or user name or uid/gid.
I can login to the server.
My nsswitch.conf file
..
sudoers: files
..
My sssd.conf
[sssd]
config_file_version = 2
debug_level = 7
services = nss,pam
domains = domain.com
[nss]
filter_users = root
filter_groups = root
[pam]
[domain/domain.com]
debug_level = 7
id_provider = ad
auth_provider = ad
enumerate = false
cache_credentials = true
case_sensitive = true
ad_domain = domain.com
ldap_search_base =ou=xx,ou=xx,dc=domain,dc=com
access_provider = ad
ad_access_filter = (memberOf=cn=xx,ou=xx,ou=xx,ou=xx,dc=domain,dc=com)
ad_gpo_ignore_unreadable = true
ad_gpo_access_control = disabledMy sudoers file
root ALL=(ALL) ALL
%domain\\ users ALL=(ALL) ALL
I’ve also tried with domain\\domain\ users with @domain etc. But since I can search for “getent group domain\ users” and can login w/o any domain prefix I think the plain group name should be correct.
When I am sudo -l with a user of the domain users group I get
Matching Defaults entries for user on machine:
always_set_home, secure_path=/usr/sbin\\:/usr/bin\\:/sbin\\:/bin, env_reset,
env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE",
!insults, targetpw
User user may run the following commands on machine:
(ALL) ALL
(ALL) ALLAnd when I do “sudo -i” I get asked for the roots password not my own. Even if I dont add a group but just my user to sudoers it doesn’t work.
Thank you!