SSSD with sudo support


I have been over the course of the past month prepping some NixOS systems in hopes they can take over server operations for some of my projects… I’m stuck on one final piece, which is related to SSSD .

I have copied for the most part my working configuration from an Arch server into my NixOS generated config. I can succesfully login with SSSD looking up against my (remote) LDAP server. What is not working is sudo support. I can not execute commands as root even though I have the appropriate permissions to do so from my LDAP server.

I can see that SSSD looks up the information from LDAP for my sudo access, yet in the journal I am met with:

Jul 20 15:39:12 tesla sudo[12034]: user : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=/run/wrappers/bin/su

In Debian and Arch environments I have been forced to update /etc/nscd.conf /etc/nsswitch.conf and /etc/pam.d.

I looked at the source code of the module and saw that some adjustments were made, but don’t see anything relating to sudo. In an attempt to override this I added the following config.

With still no success, I’m coming to the community to see if there is any working examples available or anyone able to assist me to get SSSD with Sudo working?

My configuration
# modules/service/sssd.nix

{ config, lib, pkgs, ... }:
  services = {
    sssd = {
      sshAuthorizedKeysIntegration = true;
      enable = true;
      config = ''
id_provider = ldap
auth_provider = ldap

ldap_schema = rfc2307bis

ldap_uri = ldaps://ldap:636

ldap_default_bind_dn = cn=dsa-system,ou=dsa,ou=System,dc=example,dc=com
ldap_default_authtok = supersecurepasword
ldap_default_authtok_type = password

ldap_search_base = dc=example,dc=com
ldap_user_object_class = inetOrgPerson
ldap_tls_reqcert = never
ldap_id_use_start_tls = false

cache_credentials = true
enumerate = false

access_provider = ldap
ldap_access_filter = memberOf=cn=system-system,ou=groups,ou=Access,dc=example,dc=com

sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,ou=Access,dc=example,dc=com

ldap_user_ssh_public_key = sshPublicKey

config_file_version = 2
services = nss, pam, sudo, ssh
domains =
debug_level = 9

debug_level = 9
debug_level = 9


      nscd.config = ''
        enable-cache hosts no
        enable-cache passwd no
        enable-cache group no
        enable-cache netgroup no
        enable-cache services no

  environment.persistence."/persist" = {
    hideMounts = true ;
    directories = [
      "/var/lib/sss"                     # sssd
  ## TODO - Find a way to insert something into nsswitch rather than overwriting
  environment.etc."nsswitch.conf".text = lib.mkForce ''
passwd:    files sss systemd
group:     files sss [success=merge] systemd
shadow:    files sss
sudoers:   files sss

hosts:     mymachines resolve [!UNAVAIL=return] files myhostname dns
networks:  files

ethers:    files
services:  files sss
protocols: files
rpc:       files
  ''; = true;
  systemd.tmpfiles.rules = [
    "L /bin/bash - - - - /run/current-system/sw/bin/bash"


A couple of days later I went digging into detail and found that sudo was not compiled with sssd support. For the unlikely chance that someone stumbles on this I simply added:

security.sudo.package = pkgs.sudo.override { withSssd = true; } ; and rebuilt and sudo started working. Sweet!

1 Like