I can't get sudo to use an AD group with sssd. This was working, but broke this past week. Logins against AD are working fine. User and group resolution is working fine. Adding the user to sudoers works. Adding the group(s) the user belongs to doesn't work. I have tried every format I can think of with nothing working. Issue seems limited to it's handing ling the % group entry in sudoers.
I am adding the config to a file called cedar in /etc/sudoers.d.
This works:
root@silk:/etc/sudoers.d# cat cedar
#%cansudo ALL=(ALL) ALL
eshwayri ALL=(ALL) ALL
eshwayri@silk:~$ sudo su -
[sudo] password for eshwayri:
root@silk:~#
This doesn't work:
root@silk:/etc/sudoers.d# cat cedar
%cansudo ALL=(ALL) ALL
#eshwayri ALL=(ALL) ALL
eshwayri@silk:~$ sudo su -
eshwayri is not in the sudoers file.
eshwayri is a member of cansudo (see below). I have also tried using the primary group of "domain admins". I have tried it like this:
%cansudo
or %CEDAR\\cansudo
or %cedar-republic.com\\cansudo
or %cansudo@CEDAR
or %cansudo@cedar-republic.com
Also tried using "domain admins" as "domain\ admins" since it is the primary group. I can't get it to work with any iteration of group name I could come up with. Always works as long as I use the user name.
root@silk:/etc/sudoers.d# getent passwd | grep eshwayri
eshwayri:*:21114:20512:Edmond E. Shwayri:/export/home/eshwayri:/bin/bash
root@silk:/etc/sudoers.d# getent group | grep eshwayri
adm:x:4:syslog,CEDAR\eshwayri,cadmin
cdrom:x:24:CEDAR\eshwayri,cadmin
sudo:x:27:CEDAR\eshwayri,cadmin
dip:x:30:CEDAR\eshwayri,cadmin
plugdev:x:46:CEDAR\eshwayri,cadmin
lpadmin:x:114:CEDAR\eshwayri,cadmin
sambashare:x:988:CEDAR\eshwayri,cadmin
cansudo:*:20523:administrator,eshwayri
cedar users:*:21143:eshwayri,parents,administrator
domain multimedia:*:24110:eshwayri,administrator,ammedia, gmmedia
analysis services admin:*:22114:eshwayri,sqladmin,administrator
fts admins:*:22113:eshwayri,sqladmin,administrator
esx administrators:*:22138:eshwayri,administrator
sql agent admins:*:22112:eshwayri,sqladmin,administrator
praetorian:*:21130:eshwayri,administrator
domain admins:*:20512:administrator,eshwayri
mymovies:*:23107:eshwayri,administrator
sql server admins:*:22111:eshwayri,sqladmin,administrator
domain wireless users:*:21152:eshwayri,parents,administrator
denied rodc password replication group:*:20572:krbtgt,administrator,eshwayri
domain users:*:20513:eshwayri,wirns,administrator,guest,k rbtgt,support_388945a0,wmus_aldur,parents,iusr_ald ur,iwam_aldur,bbsuser1,dyndnsupd,pvruser,iwam_aphr ael,iusr_aphrael,tsinternetuser,sqladmin,nbuvadp,c luster
root@silk:/etc/sudoers.d# id eshwayri
uid=21114(eshwayri) gid=20512(domain admins) groups=20512(domain admins),22114(analysis services admin),21152(domain wireless users),22138(esx administrators),24110(domain multimedia),22111(sql server admins),22112(sql agent admins),205
13(domain users),21143(cedar users),22113(fts admins),21130(praetorian),23107(mymovies),20572(de nied rodc password replication group),20523(cansudo)
root@silk:/etc/sudoers.d# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files sss systemd
group: files sss systemd
shadow: files sss systemd
gshadow: files systemd
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
automount: sss
sudo: files sss
root@silk:/etc/sudoers.d# cat /etc/sssd/sssd.conf
[sssd]
domains = cedar-republic.com
config_file_version = 2
services = nss, pam, pac
[domain/cedar-republic.com]
enumerate = True
subdomain_enumerate = True
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = CEDAR-REPUBLIC.COM
realmd_tags = manages-system joined-with-adcli
fallback_homedir = /export/home/%u
ad_domain = cedar-republic.com
ad_gpo_access_control = permissive
ad_gpo_ignore_unreadable = True
use_fully_qualified_names = False
ldap_id_mapping = False
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
root@silk:/etc/sudoers.d# cat /etc/krb5.conf
#
# krb5.conf(5) - configuration file for Kerberos 5
#
[appdefaults]
pam = {
forwardable = true
ticket_lifetime = 86400
renew_lifetime = 86400
}
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
rdns=false
ticket_lifetime = 24h
clockskew = 300
forwardable = yes
default_realm = CEDAR-REPUBLIC.COM
udp_preference_limit = 0
[domain_realm]
cedar-republic.com = CEDAR-REPUBLIC.COM
.cedar-republic.com = CEDAR-REPUBLIC.COM
CEDAR-REPUBLIC.COM = CEDAR-REPUBLIC.COM
.CEDAR-REPUBLIC.COM = CEDAR-REPUBLIC.COM
[realms]
CEDAR-REPUBLIC.COM = {
default_domain = CEDAR-REPUBLIC.COM
}
[logging]
default = SYSLOG:INFO:LOCAL7
I am adding the config to a file called cedar in /etc/sudoers.d.
This works:
root@silk:/etc/sudoers.d# cat cedar
#%cansudo ALL=(ALL) ALL
eshwayri ALL=(ALL) ALL
eshwayri@silk:~$ sudo su -
[sudo] password for eshwayri:
root@silk:~#
This doesn't work:
root@silk:/etc/sudoers.d# cat cedar
%cansudo ALL=(ALL) ALL
#eshwayri ALL=(ALL) ALL
eshwayri@silk:~$ sudo su -
eshwayri is not in the sudoers file.
eshwayri is a member of cansudo (see below). I have also tried using the primary group of "domain admins". I have tried it like this:
%cansudo
or %CEDAR\\cansudo
or %cedar-republic.com\\cansudo
or %cansudo@CEDAR
or %cansudo@cedar-republic.com
Also tried using "domain admins" as "domain\ admins" since it is the primary group. I can't get it to work with any iteration of group name I could come up with. Always works as long as I use the user name.
root@silk:/etc/sudoers.d# getent passwd | grep eshwayri
eshwayri:*:21114:20512:Edmond E. Shwayri:/export/home/eshwayri:/bin/bash
root@silk:/etc/sudoers.d# getent group | grep eshwayri
cdrom:x:24:CEDAR\eshwayri,cadmin
sudo:x:27:CEDAR\eshwayri,cadmin
dip:x:30:CEDAR\eshwayri,cadmin
plugdev:x:46:CEDAR\eshwayri,cadmin
lpadmin:x:114:CEDAR\eshwayri,cadmin
sambashare:x:988:CEDAR\eshwayri,cadmin
cedar users:*:21143:eshwayri,parents,administrator
domain multimedia:*:24110:eshwayri,administrator,ammedia, gmmedia
analysis services admin:*:22114:eshwayri,sqladmin,administrator
fts admins:*:22113:eshwayri,sqladmin,administrator
esx administrators:*:22138:eshwayri,administrator
sql agent admins:*:22112:eshwayri,sqladmin,administrator
praetorian:*:21130:eshwayri,administrator
domain admins:*:20512:administrator,eshwayri
mymovies:*:23107:eshwayri,administrator
sql server admins:*:22111:eshwayri,sqladmin,administrator
domain wireless users:*:21152:eshwayri,parents,administrator
denied rodc password replication group:*:20572:krbtgt,administrator,eshwayri
domain users:*:20513:eshwayri,wirns,administrator,guest,k rbtgt,support_388945a0,wmus_aldur,parents,iusr_ald ur,iwam_aldur,bbsuser1,dyndnsupd,pvruser,iwam_aphr ael,iusr_aphrael,tsinternetuser,sqladmin,nbuvadp,c luster
root@silk:/etc/sudoers.d# id eshwayri
uid=21114(eshwayri) gid=20512(domain admins) groups=20512(domain admins),22114(analysis services admin),21152(domain wireless users),22138(esx administrators),24110(domain multimedia),22111(sql server admins),22112(sql agent admins),205
13(domain users),21143(cedar users),22113(fts admins),21130(praetorian),23107(mymovies),20572(de nied rodc password replication group),20523(cansudo)
root@silk:/etc/sudoers.d# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files sss systemd
group: files sss systemd
shadow: files sss systemd
gshadow: files systemd
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
automount: sss
sudo: files sss
root@silk:/etc/sudoers.d# cat /etc/sssd/sssd.conf
[sssd]
domains = cedar-republic.com
config_file_version = 2
services = nss, pam, pac
[domain/cedar-republic.com]
enumerate = True
subdomain_enumerate = True
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = CEDAR-REPUBLIC.COM
realmd_tags = manages-system joined-with-adcli
fallback_homedir = /export/home/%u
ad_domain = cedar-republic.com
ad_gpo_access_control = permissive
ad_gpo_ignore_unreadable = True
use_fully_qualified_names = False
ldap_id_mapping = False
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
root@silk:/etc/sudoers.d# cat /etc/krb5.conf
#
# krb5.conf(5) - configuration file for Kerberos 5
#
[appdefaults]
pam = {
forwardable = true
ticket_lifetime = 86400
renew_lifetime = 86400
}
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
rdns=false
ticket_lifetime = 24h
clockskew = 300
forwardable = yes
default_realm = CEDAR-REPUBLIC.COM
udp_preference_limit = 0
[domain_realm]
cedar-republic.com = CEDAR-REPUBLIC.COM
.cedar-republic.com = CEDAR-REPUBLIC.COM
CEDAR-REPUBLIC.COM = CEDAR-REPUBLIC.COM
.CEDAR-REPUBLIC.COM = CEDAR-REPUBLIC.COM
[realms]
CEDAR-REPUBLIC.COM = {
default_domain = CEDAR-REPUBLIC.COM
}
[logging]
default = SYSLOG:INFO:LOCAL7
Comment