[sudo-users] LDAP Sudoers with SSSD

[Clayton Daley]

Good Afternoon,

I'm trying to get LDAP sudoers working with Active Directory and SSSD
(1.13.4-1ubuntu1.5) on Ubuntu 16.04.  I've downloaded and installed the
latest sudo (1.8.20-3, tried both LDAP and non-LDAP versions) to preclude
several resolved bugs.  The sudoers groups are stored in AD and make it all
the way to sudo_debug.log (sanitized):

Jun 19 14:53:28 sudo[60452] Received 2 rule(s)
Jun 19 14:53:28 sudo[60452] -> sudo_sss_filter_result @ ./sssd.c:225
...
Jun 19 14:53:28 sudo[60452] sssd/ldap sudoHost 'ALL' ... MATCH!
...
Jun 19 14:53:28 sudo[60452] val[0]=%linuxadmins
...
Jun 19 14:53:28 sudo[60452] sudo_get_grlist: looking up group names for
user at domain.com
...
Jun 19 14:53:28 sudo[60452] sudo_getgrgid: gid 1157000513 [] -> group
domain users at domain.com [] (cache hit)
...
Jun 19 14:53:28 sudo[60452] user_in_group: user user at domain.com NOT in
group linuxadmins
Jun 19 14:53:28 sudo[60452] <- user_in_group @ ./pwutil.c:1031 := false
Jun 19 14:53:28 sudo[60452] user user at domain.com matches group linuxadmins:
false @ usergr_matches() ./match.c:969
Jun 19 14:53:28 sudo[60452] <- usergr_matches @ ./match.c:970 := false
Jun 19 14:53:28 sudo[60452] sssd/ldap sudoUser '%linuxadmins' ... not (
user at domain.com)
...

The user is definitely in linuxadmins (also sanitized):

$ getent group linuxadmins
linuxadmins at domain.com:*:1157001133:user at domain.com,otheruser at domain.com

It looks like sudo_get_grlist is returning only the primary group and not a
complete list of groups.  I found a couple archived items mentioning the
primary group but, for example, changing the order in nsswitch didn't seem
to make any difference for me.  Does this happen within sudo or is this
coming from somewhere else like SSSD?  If it's happening inside sudo, is
there anything I can do about it?

Thanks,

Clayton