On Sun, Dec 18, 2016 at 05:12:40PM -0700, Bdale Garbee wrote: > Borden Rhodes <j...@bordenrhodes.com> writes: > > > I'm on Debian Stretch, so I use libsss-sudo version 1.14.2-1 and > > version 1.8.17p1-2 of sudo. I've since uninstalled libsss-sudo but can > > reinstall it for debugging purposes. > > I'd be curious to know if sudo 1.8.18p1-2 still exhibits the problem. > Is that something you can test without great angst?
I can confirm that the problem happens with sudo 1.8.19p1-1 and sssd 1.15.0-3. The workaround I used was as per [1] in sssd's configuration: [sssd] services = nss, pam, sudo [mydomain/LDAP] sudo_provider = none It seems quite debatable whether this is a sudo problem rather than an sssd problem. The summary at [2] from Oliver Brakmann seems most informative: "It affects both local and LDAP users. I don't have any sudo config in LDAP, which is probably the problem. What I believe happens is that either or both of sudo and sssd do not correctly cope with the situation of the sudo configuration not being available in the sssd backing store. Sudo asks sssd for the "cn=defaults" entry from LDAP, sssd looks for it, doesn't find anything and returns an error. Sudo sees the error and complains. I can come up with three possible solutions: 1) patch sudo to not log a message when sssd returns an error. => probably not the best solution, since we may miss real errors, too. 2) patch sssd to not return an error when the configuration isn't found. => probably slightly better than (1), but we still might miss real errors (I think). BTW, the offending code starts here: https://git.fedorahosted.org/cgit/sssd.git/tree/src/sss_client/sudo/sss_sudo.c#n109 3) patch the sssd package to not alter the nsswitch.conf. => this is probably the best solution. I think the people that store the sudo config in LDAP are quite the minority. I also think that those people know that they need to modify their nsswitch.conf for their configuration to work. Goes a bit against the spirit of Ubuntu, though." Cheers, Dominic. [1] https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1249777/comments/11 [2] https://bugs.launchpad.net/debian/+source/sudo/+bug/1249777/comments/2
