So I've extended my AD and created a sudoRole in an OU, and can get it to work for a single user. I can't however get it to work with an AD group.
I've tried %<adgroupname>, <adgroupname>, and +<adgroupname> all in the sudoUser attribute on the object, but cannot get it to use the group. Getent group <adgroupname> returns members. Reading the Sudoers LDAP Manual has this to say for sudoUser:
"A user name, user ID (prefixed with '#'), Unix group name or ID (prefixed with '%' or '%#' respectively), user netgroup (prefixed with '+'), or non-Unix group name or ID (prefixed with '%:' or '%:#' respectively). User netgroups are matched using the user and domain members only; the host member is not used when matching. Non-Unix group support is only available when an appropriate group_plugin is defined in the global defaults sudoRole object."
So is it reasonable to assume the last sentence is tripping this up? Does a group_plugin need to be defined in defaults? What group_plugin needs to be defined in defaults? It all works fine with just a single user in the sudoUser attribute. Once I replace it with %<adgroupname>, the same way I put it in the sudoers file manually, it fails to match the rule.
From sssd_sudo.log
When just my user is listed specifically in the sudoUser attribute in the sudoRole object in AD:
[sudosrv_get_sudorules_query_cache] (0x0200):Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=myaduser)(sudoUser=#1165)(sudoUser=%Domain\20Users)(sudoUser=%<adgroupname1>)(sudoUser=%<adgroupname2>)(sudoUser=%<adgroupnameiwanttouse>) ... [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [myaduser@mydomain.com]
When a group my user is in, is in the sudoUser attribute in the sudoRole object in AD:
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=myaduser)(sudoUser=#1165)(sudoUser=%Domain\20Users)(sudoUser=%<adgroupname1>)(sudoUser=%<adgroupname2>)(sudoUser=%<adgroupnameiwanttouse>) ... [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [myaduser@mydomain.com]
I've tried matching case with the filter that's in sssd_sudo.log, I've tried matching case from id $user, nothing seems to work but listing my user account specifically. Is there some magic to getting AD groups to work with SUDO LDAP objects?
Todd
sssd-users@lists.fedorahosted.org