sys-auth/sssd support was added to sudo in version 1.8.6. The current ebuilds for sudo (from 1.8.6 through 1.8.11_p1) do not include support by default of have a USE falg to enable support.
Editing the current ebuild and added --with-sssd to src_configure() does work correctly when sys-auth/sssd is installed (i.e. sssd successfully handles the sudo request to an ldap server).
I am not sure what the best way to handle is. The documentation I could find on --with-sssd suggests that it merely adds support and does not add a dependency on sys-auth/sssd but I have not tested. I am not sure if it should be a default to add the --with-sssd to the ebuild or add a use flag for sssd.
Steps to Reproduce:
1. emerge sys-auth/sssd app-admin/sudo
2. setup pam rules to use sssd and configure sssd to handle sudo requests
3. edit /etc/nsswitch.conf to include "sudoers: files sss" (instead of ldap)
4. attempt sudo with an ldap user without a local account
sudo fails to use the sssd service and only looks at the local /etc/sudoers file
sudo should success in using sssd (at least assuming the ldap user is configured to have sudo access)
Created attachment 387890 [details, diff]
Patch to sudo-1.8.11_p1.ebuild to add sssd support
Confirmed that by default, app-admin/sudo-1.8.11_p1 does not build support for sssd. app-admin/sudo-1.8.11_p1 does, however, have support for sssd if it is enabled during the configure stage. This ebuild patch for app-admin/sudo-1.8.11_p1.ebuild builds sudo with support for sssd with the sssd USE flag enabled, with some brief instructions on what needs to be done from that point (similar to the LDAP USE flag instructions already there).
Could you please apply this patch to portage tree?
patch as-is is fine, but we can't add it until bug 540540 is resolved
Is bug 540540 not a duplicate of this?
(In reply to Brett Merrick from comment #4)
> Is bug 540540 not a duplicate of this?
No, bug 540540 is against sys-auth/sssd, while this one is against app-admin/sudo. They are tightly related, but not the same.
*** Bug 553676 has been marked as a duplicate of this bug. ***
I would have to politely disagree nsswitch.conf should contain sudoers: files sss, not sss then files. Also, shouldn't sssd be included as an RDEPEND?
Thanks for the patch!
According to the Changelog, the sssd useflag was present in sudo-1.8.12-r1.
Any reasons why the flag is missing again?
(In reply to Thomas Berger from comment #8)
please read comment #3
Any progress ?
Any news on that?
Finally on it
The bug has been closed via the following commit(s):
Author: Mikle Kolyada <firstname.lastname@example.org>
AuthorDate: 2018-10-05 21:37:29 +0000
Commit: Mikle Kolyada <email@example.com>
CommitDate: 2018-10-05 21:37:29 +0000
app-admin/sudo: Add sys-auth/sssd support
Signed-off-by: Mikle Kolyada <firstname.lastname@example.org>
Package-Manager: Portage-2.3.49, Repoman-2.3.11
app-admin/sudo/metadata.xml | 1 +
app-admin/sudo/sudo-1.8.25_p1-r1.ebuild | 242 ++++++++++++++++++++++++++++++++
2 files changed, 243 insertions(+)