Hello Marc and all,
Marc Haber [2026-02-10 14:50 +0100]:
> I was not aware that other things depended on that. We have discussed that
> numerous times inside the sudo team, and I think that I took that to -devel
> at least once, being well aware that our removing of the unmaintainable
> sudo-ldap might break things.
>
> I apologize for the additional work that this change caused despite the
> utmost care taken by the sudo team.
No worries! This wasn't meant as a blame, but as a discussion starter. I am not
familiar with the sudo-ldap deprecation, but that's (1) probably fine (you are
the expert here), and (2) I think only tangential for this bug.
> > But this is gone now. Consequently, libsss-sudo's postinst does not add
> > 'sss'
> > any more, as there is no 'sudoers:' line, and the `sed` just changes an
> > existing one:
> >
> > -------------- 8< ---------------
> > if ! grep -q -E -e '^sudoers:[^#]*\s(sss)(\s|#|$)'
> > "${DPKG_ROOT}/etc/nsswitch.conf" ; then
> > # Installing sudoers/sss from libsss-sudo in position last
> > sed -E -i "${DPKG_ROOT}/etc/nsswitch.conf" -e
> > '/^sudoers:\s[^#]*$/ s/$/ sss/' -e '/^sudoers:\s.*#/ s/#/ sss #/'
> > fi
> > -------------- 8< ---------------
> >
> > That leaves sssd configuration of sudo rules broken by default now. Could
> > libsss-sudo adopt the "create entry" code from the late libnss-sudo?
Doing that should fix the problem without the deprecated/removed libnss-sudo I
think, and it would be fairly unintrusive.
> Can you elaborate a bit on "sssd configuration of sudo rules"? The only
> thing I have ever seen (and tested) is sssd contributing to getent passewd,
> getent group et al.
>
> How would a test case to check "sssd configuration of sudo rules" look like?
Cockpit's test suite models a typical "large org" setup: Centralized user
management with https://tracker.debian.org/pkg/freeipa ; part of that is
maintaining users and their roles in LDAP. sssd abstracts away most of that,
i.e. provides the integration into NSS, for both passwd/groups and also
`sudoers`, so that these can be managed centrally through IPA as well. I.e. our
test (effectively) calls `realmd join` which calls `ipa-client-install`.
On the IPA server side, you need to run the output of `ipa-advise
enable-admins-sudo` to enable central sudoers management.
Setting all of this up is quite involved. If it's unclear how this happens,
I can spend an hour trying to replicate everything in a Debian testing VM with
just a FreeIPA container -- but I hope that can be done in a simpler way? I.e.
extending the above sed shell code in the postinst to create a missing entry
keeps the previous behaviour with libnss-sudo, and reduces the dependency
assumption.
Thanks,
Martin
