[Samba] Sudoers in Samba LDAP

Rowland Penny rpenny at samba.org
Fri Nov 24 09:57:33 UTC 2023


On Fri, 24 Nov 2023 13:30:13 +0500
Anton Shevtsov via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> I have a DC on samba 4.17.12
> 
> I want store sudoers in LDAP, and use sssd for get rules from LDAP.
> 
> I was configured sssd.conf
> 
> [sssd]
> config_file_version = 2
> services = nss, pam, sudo
> user = _sssd
> domains = TEST.ALT
> 
> [nss]
> [sudo]
> [pam]
> 
> [domain/TEST.TLD]
> dyndns_update = true
> id_provider = ad
> auth_provider = ad
> chpass_provider = ad
> access_provider = ad
> default_shell = /bin/bash
> fallback_homedir = /home/%d/%u
> debug_level = 0
> ad_gpo_ignore_unreadable = true
> ad_gpo_access_control = permissive
> ad_update_samba_machine_account_password = true
> cache_credentials = false
> sudo_provider = ad
> ldap_sudo_search_base = ou=sudoers, dc=test, dc=tld
> 
> and  nsswitch.conf
> 
> ...
> sudoers: files sss
> ...
> 
> I сreated OU=sudoers,dc=test,dc=tld, but stopped during creation sudo 
> entries like as
> 
> cn=username1,ou=sudoers,dc=test,dc=tld
> cn=username2,ou=sudoers,dc=test,dc=tld
> 
> I read https://lists.samba.org/archive/samba/2016-April/199402.html , 
> but i have sudoRole objectclass (i see in ADSI on Windows side. It
> would be better without using Windows).
> Also, i have not *schema.ActiveDirectory* for import to Samba.
> 
> How i can add sudoRole objectclass ?
> 
> 

It is quite easy to extend Samba AD to add the sudo schema, see here
for more info:

https://wiki.samba.org/index.php/Samba_AD_schema_extensions

Provided you have the full version of sudo installed (it is called
sudo-ldap on Debian), you should have the required schema (again on
Debian it is here: /usr/share/doc/sudo-ldap/schema.ActiveDirectory.gz)

I could dig out my notes on this, but they may be out of date.

Finally, you do not need sssd to get the rules, sudo is quite capable
of doing that itself, see here:

https://www.sudo.ws/docs/man/1.8.17/sudoers.ldap.man/

Rowland



More information about the samba mailing list