I setup an SSO environment using Debian 8 systems. I have a Kerberos server which uses LDAP as its backend. I have users and groups created in OpenLDAP. The SSO environment seems to be working correctly. I installed SASL, GSSAPI, and SSSD on a test client. I can see my users and groups using getent from my test client and I can log into the server (locally and through SSH).
I also have sudo-ldap installed and I'm trying to get SSSD to lookup my sudo users in LDAP, but I can seem to get this to work. I keep getting a "user is not in the sudoers file. This incident will be reported." error. My configuration for the test client is below: root@korhal: cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss,pam domains = HARMONYWAVE [nss] debug_level = 5 filter_users = root filter_groups = root #fallback_homedir = /home/%u [pam] [domain/HARMONYWAVE] debug_level = 5 auth_provider = krb5 chpass_provider = krb5 krb5_server = immortal.harmonywave.com krb5_realm = HARMONYWAVE.COM cache_credentials = false access_provider = simple id_provider = ldap ldap_uri = ldap://baneling.harmonywave.com ldap_tls_reqcert = demand ldap_tls_cacert = /etc/ssl/certs/ca.harmonywave.com.pem ldap_search_base = dc=harmonywave,dc=com ldap_id_use_start_tls = true ldap_sasl_mech = GSSAPI ldap_user_search_base = ou=People,dc=harmonywave,dc=com ldap_group_search_base = ou=Group,dc=harmonywave,dc=com ldap_user_object_class = posixAccount ldap_user_name = uid ldap_fullname = cn ldap_user_home_directory = homeDirectory ldap_group_object_class = posixGroup ldap_group_name = cn ldap_sudo_search_base = ou=SUDOers,dc=harmonywave,dc=com sudo_provider = ldap Getent shows that it can find me, my group, and that I am part of the wheel group: root@korhal:/home/jschaeffer# getent passwd jschaeffer jschaeffer:*:5000:5000:Joshua Schaeffer:/home/jschaeffer:/bin/bash root@korhal:/home/jschaeffer# getent group jschaeffer jschaeffer:*:5000:jschaeffer root@korhal:/home/jschaeffer# getent group wheel wheel:*:4002:jschaeffer I have the wheel group in OpenLDAP: root@korhal:/home/jschaeffer# ldapsearch -LLL -Y GSSAPI -H ldap://baneling.harmonywave.com -b ou=SUDOers,dc=harmonywave,dc=com SASL/GSSAPI authentication started SASL username: jschaef...@harmonywave.com SASL SSF: 56 SASL data security layer installed. dn: ou=SUDOers,dc=harmonywave,dc=com objectClass: top objectClass: organizationalUnit ou: SUDOers dn: cn=%wheel,ou=SUDOers,dc=harmonywave,dc=com objectClass: top objectClass: sudoRole cn: %wheel sudoUser: %wheel sudoHost: ALL sudoCommand: ALL dn: cn=defaults,ou=SUDOers,dc=harmonywave,dc=com objectClass: top objectClass: sudoRole cn: defaults description: Add default sudoOptions's here When I try to run any command with sudo it fails: jschaeffer@korhal:~$ sudo ls [sudo] password for jschaeffer: jschaeffer is not in the sudoers file. This incident will be reported. Any help would be appreciated. Thanks, Joshua