Configure SSSD (sudo and dyndns_update) with realmd

Question

I'm trying to join a Ubuntu 16.04 to a Windows domain (active directory) using realmd + sssd. Basically I was following this post which worked pretty well and I was able to join my server and could successfully authenticate as AD user. However there are two pieces missing in the integration:

Register server's hostname in DNS
Use sssd-sudo for user authorization

Register server's hostname in DNS

As mentioned I successfully join the AD by using realm join --user=dpr MYDOMAIN.INT --install=/:

root@ip-172-28-5-174 ~ # realm list
mydomain.int
  type: kerberos
  realm-name: MYDOMAIN.INT
  domain-name: mydomain.int
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %[email protected]
  login-policy: allow-realm-logins

However, dispite the successful join, my server is not known to the other machines in the domain using its hostname ip-172-28-5-174.mydomain.int. I found this documentation that mentions a dyndns_update setting in the sssd.conf file.

As I'm using realm. The sssd configuration is generated automatically by issuing the join command. The generated config file looks like this:

[sssd]
domains = mydomain.int
config_file_version = 2
services = nss, pam

[domain/mydomain.int]
ad_domain = mydomain.int
krb5_realm = MYDOMAIN.INT
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

That is I somehow need to add dyndns_update = True to this generated file. But how?

Use sssd-sudo for user authorization

Additionally I want to make sssd to read my sudo configuration from AD. I think this can be achieved using sssd-sudo but this needs to be enabled/configured in the sssd.conf file as well by adding sudo to the sssd services and use sudo_provider = ldap for my domain. Again I'm not able to figure out how to do this with realm.

Basically I want my generated config file to look like this:

[sssd]
domains = mydomain.int
config_file_version = 2
services = nss, pam, sudo

[domain/mydomain.int]
id_provider = ad
access_provider = ad
sudo_provider = ldap
ad_domain = mydomain.int
krb5_realm = MYDOMAIN.INT
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d

Any ideas on how this can be achieved?

Can you clarify reading your `sudo` configuration from AD, please. The access groups? Or the specifications of programs, aliases, etc.? Groups "just happen". The remainder of the specifications are (much) harder. — roaima, Apr 20 '17 at 20:16

claytond · Answer 1 · 2017-06-20T21:47:38.143

If you want Active Directory to manage sudoers, you have to load a specialized schema into AD and then create your rules using a tool like ADSI Edit. This walkthrough worked for me on Ubuntu 14.04. The highlights are:

Import schema.ActiveDirectory
Create rules following the sudoers-ldap manpage
Update etc/nsswitch.conf to include sss among the entries on the sudoers = line
Update etc/sssd/sssd.conf to include:
- sudo among the entries on the services = line
- an empty [sudo] section (no configs are required, but Redhat asserts that this triggers the proper configuration of sudo support)
- a line like sudo_provider = ad (sssd docs on pagure.org claim sudo provider is enabled by default for ldap, ad and ipa so this may be optional)

When I repeat this process for 16.04 (i.e. same AD rules as 14.04), I'm actually having other issues. Apparently, this is not uncommon. It's possible that there's a bug in the version of sudo included in 16.04.

In principle, manually upgrading to the latest should resolve this issue.
The regular sudo package (not sudo-ldap) is the right package if you want SSSD (and not sudo) to manage the ldap connection. Specifically, installing sudo-ldap produced no logs in sssd_sudo.log while the regular sudo package did.
While sssd_sudo is now showing Returning 2 rules for [<user>@<domain>], sudo -l is still responding with Sorry, user <user>@<domain> may not run sudo on <host> so there may be other issues needing resolved.

My situation may not be typical, however, as I'm having additional issues that don't appear to be common. For example, I had issues running realm join that were resolved using workarounds from this Server Fault question.

If you found your way here due to realmd/sssd/sudo issues in 16.04, here are some other reported problems that may be helpful (not necessarily directly related to the OP's issue):

IPA host netgroup issue (more info on the free-ipa users list)
There's a known issue with realmd dependency resolution. As mentioned in the discussion, installing packagekit resolves for many (including us). There may be a separate issue with the version in 16.04.

We're evaluating 16.04 for upgrade so we may put this on the back burner, but hopefully our legwork helps others.

score 2 · Accepted Answer · answered Apr 21 '17 at 08:26

Sadly there doesn't seem to be an option to add custom configuration parameters to the sssd.conf file generated by realmd.

I had to adjust the generated config to contain my needed settings after joining the domain with realm join and restart sssd (service restart sssd) for the settings to take effect.

Configure SSSD (sudo and dyndns_update) with realmd

2 Answers2

Linked