24.11.2023 14:57, Rowland Penny via samba ?????:> On Fri, 24 Nov 2023 13:30:13 +0500
> Anton Shevtsov via samba<samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> I have a DC on samba 4.17.12
>>
>> I want store sudoers in LDAP, and use sssd for get rules from LDAP.
>>
>> I was configured sssd.conf
>>
>> [sssd]
>> config_file_version = 2
>> services = nss, pam, sudo
>> user = _sssd
>> domains = TEST.ALT
>>
>> [nss]
>> [sudo]
>> [pam]
>>
>> [domain/TEST.TLD]
>> dyndns_update = true
>> id_provider = ad
>> auth_provider = ad
>> chpass_provider = ad
>> access_provider = ad
>> default_shell = /bin/bash
>> fallback_homedir = /home/%d/%u
>> debug_level = 0
>> ad_gpo_ignore_unreadable = true
>> ad_gpo_access_control = permissive
>> ad_update_samba_machine_account_password = true
>> cache_credentials = false
>> sudo_provider = ad
>> ldap_sudo_search_base = ou=sudoers, dc=test, dc=tld
>>
>> and? nsswitch.conf
>>
>> ...
>> sudoers: files sss
>> ...
>>
>> I ?reated OU=sudoers,dc=test,dc=tld, but stopped during creation sudo
>> entries like as
>>
>> cn=username1,ou=sudoers,dc=test,dc=tld
>> cn=username2,ou=sudoers,dc=test,dc=tld
>>
>> I readhttps://lists.samba.org/archive/samba/2016-April/199402.html ,
>> but i have sudoRole objectclass (i see in ADSI on Windows side. It
>> would be better without using Windows).
>> Also, i have not *schema.ActiveDirectory* for import to Samba.
>>
>> How i can add sudoRole objectclass ?
>>
>>
> It is quite easy to extend Samba AD to add the sudo schema, see here
> for more info:
>
> https://wiki.samba.org/index.php/Samba_AD_schema_extensions
>
> Provided you have the full version of sudo installed (it is called
> sudo-ldap on Debian), you should have the required schema (again on
> Debian it is here: /usr/share/doc/sudo-ldap/schema.ActiveDirectory.gz)
>
> I could dig out my notes on this, but they may be out of date.
>
> Finally, you do not need sssd to get the rules, sudo is quite capable
> of doing that itself, see here:
>
> https://www.sudo.ws/docs/man/1.8.17/sudoers.ldap.man/
>
> Rowland
I know about sudo-ldap, but in my distro sudo-ldap is not provided (sudo
sudo -V | grep ldap is empty)
that's why I want to use sssd (without sudo-ldap)
--
*Anton*