sys-auth/sssd support was added to sudo in version 1.8.6. The current ebuilds for sudo (from 1.8.6 through 1.8.11_p1) do not include support by default of have a USE falg to enable support. Editing the current ebuild and added --with-sssd to src_configure() does work correctly when sys-auth/sssd is installed (i.e. sssd successfully handles the sudo request to an ldap server). I am not sure what the best way to handle is. The documentation I could find on --with-sssd suggests that it merely adds support and does not add a dependency on sys-auth/sssd but I have not tested. I am not sure if it should be a default to add the --with-sssd to the ebuild or add a use flag for sssd. Reproducible: Always Steps to Reproduce: 1. emerge sys-auth/sssd app-admin/sudo 2. setup pam rules to use sssd and configure sssd to handle sudo requests 3. edit /etc/nsswitch.conf to include "sudoers: files sss" (instead of ldap) 4. attempt sudo with an ldap user without a local account Actual Results: sudo fails to use the sssd service and only looks at the local /etc/sudoers file Expected Results: sudo should success in using sssd (at least assuming the ldap user is configured to have sudo access)
Created attachment 387890 [details, diff] Patch to sudo-1.8.11_p1.ebuild to add sssd support Confirmed that by default, app-admin/sudo-1.8.11_p1 does not build support for sssd. app-admin/sudo-1.8.11_p1 does, however, have support for sssd if it is enabled during the configure stage. This ebuild patch for app-admin/sudo-1.8.11_p1.ebuild builds sudo with support for sssd with the sssd USE flag enabled, with some brief instructions on what needs to be done from that point (similar to the LDAP USE flag instructions already there).
Could you please apply this patch to portage tree?
patch as-is is fine, but we can't add it until bug 540540 is resolved
Is bug 540540 not a duplicate of this?
(In reply to Brett Merrick from comment #4) > Is bug 540540 not a duplicate of this? No, bug 540540 is against sys-auth/sssd, while this one is against app-admin/sudo. They are tightly related, but not the same.
*** Bug 553676 has been marked as a duplicate of this bug. ***
I would have to politely disagree nsswitch.conf should contain sudoers: files sss, not sss then files. Also, shouldn't sssd be included as an RDEPEND? Thanks for the patch!
According to the Changelog, the sssd useflag was present in sudo-1.8.12-r1. Any reasons why the flag is missing again?
(In reply to Thomas Berger from comment #8) please read comment #3
Any progress ?
Any news on that?
Finally on it
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=45151dcfac954a3de23e9980fb29b43a69244ad7 commit 45151dcfac954a3de23e9980fb29b43a69244ad7 Author: Mikle Kolyada <zlogene@gentoo.org> AuthorDate: 2018-10-05 21:37:29 +0000 Commit: Mikle Kolyada <zlogene@gentoo.org> CommitDate: 2018-10-05 21:37:29 +0000 app-admin/sudo: Add sys-auth/sssd support Closes: https://bugs.gentoo.org/525674 Signed-off-by: Mikle Kolyada <zlogene@gentoo.org> Package-Manager: Portage-2.3.49, Repoman-2.3.11 app-admin/sudo/metadata.xml | 1 + app-admin/sudo/sudo-1.8.25_p1-r1.ebuild | 242 ++++++++++++++++++++++++++++++++ 2 files changed, 243 insertions(+)