On Fri, 12 Apr 2019 16:12:53 +0200
Martin Krämer via samba <samba at lists.samba.org> wrote:
> Hello All,
>
> I am currently changing my samba linux clients (Debian) from sssd
> binding to winbind.
> With sssd I had all sudo rules within the samba active directory.
> The configuration was based on:
> https://lists.samba.org/archive/samba/2016-April/199402.html
>
> Is there some guideline like the one mentioned available/has someone
> already experience with this for winbind based clients?
> Within the conversation I found that Rowland was trying to setup
> something like this but seemed to have problems with "k5start".
Well,
> I still have problems with the basics since based on
> https://manpages.debian.org/stretch/sudo-ldap/sudoers.ldap.5.en.html
> I need to configure /etc/nsswitch.conf.
> I decided for test to just keep "*sudoers: ldap*"
> As soon as I change this I recieve the following error (based on my
> test independently what I define within /etc/sudo-ldap.conf:
>
> *user at cd2bd668e00c7:~$ sudo -v*
> *sudo: no valid sudoers sources found, quitting*
> *sudo: unable to initialize policy plugin*
>
> Thanks for help & hints
>
> Martin
I take it you would like to see something like this:
sudo nano /etc/nsswitch.conf
sudo: LDAP Config Summary
sudo: ==================sudo: uri ldap://dc4.samdom.example.com
sudo: ldap_version 3
sudo: sudoers_base OU=SUDOers,DC=samdom,DC=example,DC=com
sudo: search_filter (objectClass=sudoRole)
sudo: netgroup_base (NONE: will use nsswitch)
sudo: netgroup_search_filter (objectClass=nisNetgroup)
sudo: binddn (anonymous)
sudo: bindpw (anonymous)
sudo: ssl (no)
sudo: use_sasl yes
sudo: sasl_auth_id $USER
sudo: rootuse_sasl -1
sudo: rootsasl_auth_id (NONE)
sudo: sasl_secprops (NONE)
sudo: krb5_ccname (NONE)
sudo: ==================sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_sasl_interactive_bind_s() ok
sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults))
sudo: found:CN=defaults,OU=SUDOers,DC=samdom,DC=example,DC=com
sudo: ldap search
'(&(objectClass=sudoRole)(|(sudoUser=rowland)(sudoUser=%domain
users)(sudoUser=%#10000)(sudoUser=%netdev)(sudoUser=%unixtest)(sudoUser=%BUILTIN\5cadministrators)(sudoUser=%BUILTIN\5cusers)(sudoUser=%unixgroup)(sudoUser=%testgroup)(sudoUser=%group12)(sudoUser=%printeradmin)(sudoUser=%unix
admins)(sudoUser=%#102)(sudoUser=%#1001)(sudoUser=%#2000)(sudoUser=%#2001)(sudoUser=%#10002)(sudoUser=%#10004)(sudoUser=%#10010)(sudoUser=%#10011)(sudoUser=%#10024)(sudoUser=ALL)))'
sudo: searching from base 'OU=SUDOers,DC=samdom,DC=example,DC=com'
sudo: adding search result
sudo: result now has 1 entries
sudo: ldap search
'(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))'
sudo: searching from base 'OU=SUDOers,DC=samdom,DC=example,DC=com'
sudo: adding search result
sudo: result now has 1 entries
sudo: sorting remaining 1 entries
sudo: searching LDAP for sudoers entries
sudo: Command allowed
sudo: LDAP entry: 0x55b665ecf1f0
sudo: done with LDAP searches
sudo: user_matches=true
sudo: host_matches=true
sudo: sudo_ldap_lookup(0)=0x02
sudo: removing reusable search result
Rowland