SSSD and sudo-rules in Active Directory

# Note # While making this post I managed to find the problem myself so I thought I might as well post in case it may help someone else later on. The problem was that I had a typo in **/etc/nsswitch.conf**, I had written **suduers** and not **sudoers** The **sudoers:** entry wasn't there from the beginning so I had to add it, hence the typo. One more thing was that the package **libsss-sudo** wasn't installed either, which was needed. # Post # I have my Linux-servers joined to my AD with SSSD like this: apt-get install sssd-ad sssd-tools realmd adcli krb5-user libsss-sudo realm join -U Administrator domain.local I can logon with my AD-users just fine but now I want to manage the sudo-rules in AD too. I extended the AD scheme like this on my AD-server: > wget https://github.com/sudo-project/sudo/blob/main/docs/schema.ActiveDirectory -o schema.ActiveDirectory I changed all the **DC=X** entries with **DC=domain,DC=local** and then ran: > ldifde -i -f schema.ActiveDirectory So far so good. I created a OU where I want all my sudo-rules: OU=Sudo-rules,OU=Linux Servers,OU=Computers,OU=Company,DC=domain,DC=local In the OU **Sudo-rules** I created an object with the **sudoRole** class, named it **LinuxAdminsSudo** and edited the following attributes: sudoCommand: ALL sudoHost: ALL sudoRunAs: ALL sudoUser: %linuxadmins@domain.local The **linuxadmins@domain.local** is an AD-group where all the Linux-admins are members and I want them to get full sudo-access to all Linux-servers. This is my **/etc/sssd/sssd.conf**: [sssd] domains = domain.local config_file_version = 2 services = nss, pam, sudo [domain/domain.local] default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = DOMAIN.LOCAL realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%d/%u ad_domain = domain.local use_fully_qualified_names = True ldap_id_mapping = True access_provider = ad sudo_provider = ad [sudo] In **/etc/nsswitch.conf** I added: sudoers: sss files Clear cache for SSSD and restart: sss_cache -E systemctl restart sssd Now I login with a user that's in the **LinuxAdmins**-group and when I run **sudo -l** I get this: Sorry, user admin-user@domain.local may not run sudo on linux-host1. So I'm not allowed to run sudo at all even though the rule in AD should allow this. When checking the SSSD cache I can see that it has indeed retrieved the rule: ldbsearch -H /var/lib/sss/db/cache_domain.local.ldb I found this entry: # record 28 dn: name=LinuxAdminsSudo,cn=sudorules,cn=custom,cn=domain.local,cn=sysdb cn: LinuxAdminsSudo dataExpireTimestamp: 1699953662 entryUSN: 65897179 name: LinuxAdminsSudo objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=domain,DC=local objectClass: sudoRule originalDN: CN=LinuxAdminsSudo,OU=Sudo-rules,OU=Linux Servers,OU=Computers,OU=Company,DC=domain,DC=local sudoCommand: ALL sudoHost: ALL sudoRunAs: ALL sudoUser: %linuxadmins@domain.local distinguishedName: name=LinuxAdminsSudo,cn=sudorules,cn=custom,cn=domain.local,cn=sysdb Which indicates that it can retrieve the rule just fine from AD. And everything was just fine, I had just made a typo in **/etc/nsswitch.conf** stated in the beginning of the post.