[Samba] Sudoers in Samba LDAP

Rowland Penny rpenny at samba.org
Fri Nov 24 11:38:12 UTC 2023 

On Fri, 24 Nov 2023 15:15:45 +0500
Anton Shevtsov via samba <samba at lists.samba.org> wrote:

> 
> 24.11.2023 14:57, Rowland Penny via samba пишет:
> > On Fri, 24 Nov 2023 13:30:13 +0500
> > Anton Shevtsov via samba<samba at lists.samba.org>  wrote:
> >
> >> Hi,
> >>
> >> I have a DC on samba 4.17.12
> >>
> >> I want store sudoers in LDAP, and use sssd for get rules from LDAP.
> >>
> >> I was configured sssd.conf
> >>
> >> [sssd]
> >> config_file_version = 2
> >> services = nss, pam, sudo
> >> user = _sssd
> >> domains = TEST.ALT
> >>
> >> [nss]
> >> [sudo]
> >> [pam]
> >>
> >> [domain/TEST.TLD]
> >> dyndns_update = true
> >> id_provider = ad
> >> auth_provider = ad
> >> chpass_provider = ad
> >> access_provider = ad
> >> default_shell = /bin/bash
> >> fallback_homedir = /home/%d/%u
> >> debug_level = 0
> >> ad_gpo_ignore_unreadable = true
> >> ad_gpo_access_control = permissive
> >> ad_update_samba_machine_account_password = true
> >> cache_credentials = false
> >> sudo_provider = ad
> >> ldap_sudo_search_base = ou=sudoers, dc=test, dc=tld
> >>
> >> and  nsswitch.conf
> >>
> >> ...
> >> sudoers: files sss
> >> ...
> >>
> >> I сreated OU=sudoers,dc=test,dc=tld, but stopped during creation
> >> sudo entries like as
> >>
> >> cn=username1,ou=sudoers,dc=test,dc=tld
> >> cn=username2,ou=sudoers,dc=test,dc=tld
> >>
> >> I readhttps://lists.samba.org/archive/samba/2016-April/199402.html
> >>  , but i have sudoRole objectclass (i see in ADSI on Windows side.
> >> It would be better without using Windows).
> >> Also, i have not *schema.ActiveDirectory* for import to Samba.
> >>
> >> How i can add sudoRole objectclass ?
> >>
> >>
> > It is quite easy to extend Samba AD to add the sudo schema, see here
> > for more info:
> >
> > https://wiki.samba.org/index.php/Samba_AD_schema_extensions
> >
> > Provided you have the full version of sudo installed (it is called
> > sudo-ldap on Debian), you should have the required schema (again on
> > Debian it is here:
> > /usr/share/doc/sudo-ldap/schema.ActiveDirectory.gz)
> >
> > I could dig out my notes on this, but they may be out of date.
> >
> > Finally, you do not need sssd to get the rules, sudo is quite
> > capable of doing that itself, see here:
> >
> > https://www.sudo.ws/docs/man/1.8.17/sudoers.ldap.man/
> >
> > Rowland
> 
> 
> I know about sudo-ldap, but in my distro sudo-ldap is not provided
> (sudo sudo -V | grep ldap is empty)
> 
> that's why I want to use sssd (without sudo-ldap)
> 
> 

Are you sure that your version of sudo hasn't got ldap capabilities,
the version of sudo supplied by most distro's has.

Rowland

More information about the samba mailing list