Hi!
I have been over the course of the past month prepping some NixOS systems in hopes they can take over server operations for some of my projects… I’m stuck on one final piece, which is related to SSSD .
I have copied for the most part my working configuration from an Arch server into my NixOS generated config. I can succesfully login with SSSD looking up against my (remote) LDAP server. What is not working is sudo support. I can not execute commands as root even though I have the appropriate permissions to do so from my LDAP server.
I can see that SSSD looks up the information from LDAP for my sudo access, yet in the journal I am met with:
Jul 20 15:39:12 tesla sudo[12034]: user : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=/run/wrappers/bin/su
In Debian and Arch environments I have been forced to update /etc/nscd.conf /etc/nsswitch.conf and /etc/pam.d.
I looked at the source code of the module and saw that some adjustments were made, but don’t see anything relating to sudo. In an attempt to override this I added the following config.
With still no success, I’m coming to the community to see if there is any working examples available or anyone able to assist me to get SSSD with Sudo working?
My configuration
# modules/service/sssd.nix
{ config, lib, pkgs, ... }:
{
services = {
sssd = {
sshAuthorizedKeysIntegration = true;
enable = true;
config = ''
[domain/example.com]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldaps://ldap:636
ldap_default_bind_dn = cn=dsa-system,ou=dsa,ou=System,dc=example,dc=com
ldap_default_authtok = supersecurepasword
ldap_default_authtok_type = password
ldap_search_base = dc=example,dc=com
ldap_user_object_class = inetOrgPerson
ldap_tls_reqcert = never
ldap_id_use_start_tls = false
cache_credentials = true
enumerate = false
access_provider = ldap
ldap_access_filter = memberOf=cn=system-system,ou=groups,ou=Access,dc=example,dc=com
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,ou=Access,dc=example,dc=com
ldap_user_ssh_public_key = sshPublicKey
[sssd]
config_file_version = 2
services = nss, pam, sudo, ssh
domains = example.com
[nss]
debug_level = 9
[pam]
debug_level = 9
[sudo]
debug_level = 9
[ssh]
'';
};
nscd.config = ''
enable-cache hosts no
enable-cache passwd no
enable-cache group no
enable-cache netgroup no
enable-cache services no
'';
};
environment.persistence."/persist" = {
hideMounts = true ;
directories = [
"/var/lib/sss" # sssd
];
};
## TODO - Find a way to insert something into nsswitch rather than overwriting
environment.etc."nsswitch.conf".text = lib.mkForce ''
passwd: files sss systemd
group: files sss [success=merge] systemd
shadow: files sss
sudoers: files sss
hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns
networks: files
ethers: files
services: files sss
protocols: files
rpc: files
'';
security.pam.services.systemd-user.makeHomeDir = true;
systemd.tmpfiles.rules = [
"L /bin/bash - - - - /run/current-system/sw/bin/bash"
];
Regards,
Dave