On Fri, 24 Nov 2023 13:30:13 +0500
Anton Shevtsov via samba <samba at lists.samba.org> wrote:
> Hi,
>
> I have a DC on samba 4.17.12
>
> I want store sudoers in LDAP, and use sssd for get rules from LDAP.
>
> I was configured sssd.conf
>
> [sssd]
> config_file_version = 2
> services = nss, pam, sudo
> user = _sssd
> domains = TEST.ALT
>
> [nss]
> [sudo]
> [pam]
>
> [domain/TEST.TLD]
> dyndns_update = true
> id_provider = ad
> auth_provider = ad
> chpass_provider = ad
> access_provider = ad
> default_shell = /bin/bash
> fallback_homedir = /home/%d/%u
> debug_level = 0
> ad_gpo_ignore_unreadable = true
> ad_gpo_access_control = permissive
> ad_update_samba_machine_account_password = true
> cache_credentials = false
> sudo_provider = ad
> ldap_sudo_search_base = ou=sudoers, dc=test, dc=tld
>
> and? nsswitch.conf
>
> ...
> sudoers: files sss
> ...
>
> I ?reated OU=sudoers,dc=test,dc=tld, but stopped during creation sudo
> entries like as
>
> cn=username1,ou=sudoers,dc=test,dc=tld
> cn=username2,ou=sudoers,dc=test,dc=tld
>
> I read https://lists.samba.org/archive/samba/2016-April/199402.html ,
> but i have sudoRole objectclass (i see in ADSI on Windows side. It
> would be better without using Windows).
> Also, i have not *schema.ActiveDirectory* for import to Samba.
>
> How i can add sudoRole objectclass ?
>
>
It is quite easy to extend Samba AD to add the sudo schema, see here
for more info:
https://wiki.samba.org/index.php/Samba_AD_schema_extensions
Provided you have the full version of sudo installed (it is called
sudo-ldap on Debian), you should have the required schema (again on
Debian it is here: /usr/share/doc/sudo-ldap/schema.ActiveDirectory.gz)
I could dig out my notes on this, but they may be out of date.
Finally, you do not need sssd to get the rules, sudo is quite capable
of doing that itself, see here:
https://www.sudo.ws/docs/man/1.8.17/sudoers.ldap.man/
Rowland