SSSD + Active Directory: AD-Users can not use sudo

I have several Linux distributions (openSUSE/Ubuntu/centOS) running with user management in Active Directory and connected via SSSD.
Also SSH Public Keys and SUDO rules are defined in AD.

All Linux hosts have basically the same setup for this.

  • chrony/ntpd/systemd-timesyncd is using the same time source as the domain controller
  • DNS of domain controller is used
  • AD domain join via realmd

All distributions share the same configuration for SSSD, SSH and NSSwtich.

openSUSE LEAP 15.3 is behaving strangely:

After log in an AD account via SSH, I can list sudo permissions for that account with

sudo -l

and the correct permissions, which are defined in AD, get listed:

> sudo -l
[sudo] password for
Matching Defaults entries for on openSUSE15Test2:
    env_keep+=SSH_AUTH_SOCK, targetpw

User may run the following commands on openSUSE15Test2:
    (root) ALL
    (ALL) ALL

So SSSD sudo provider is working and also caching the correct rules.


shows correct UID and GIDs.

If the account wants to make use of sudo, the following error occurs:

> sudo less /etc/sudoers
[sudo] password for root:
sudo: PAM authentication error: User not known to the underlying authentication module
sudo: a password is required

So given that the other distributions play nicely with this setup and let AD accounts use sudo with rules defined in AD, I suspect that this error is related to PAM configuration.
I have not touched PAM configuration yet, for either openSUSE or another distribution.

Can anyone hint me in a direction how to get this solved?

Relevant configuration files:

config_file_version = 2
services = nss, pam, ssh, sudo
domains =
debug_level = 10

debug_level = 10

debug_level = 10

debug_level = 10

default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = MYDOMAIN.INT
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain =
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = simple
simple_allow_groups = Unix admins@MYDOMAIN.INT
ldap_user_ssh_public_key = sshPublicKey


AuthorizedKeysFile      .ssh/authorized_keys
UsePAM yes
X11Forwarding yes

Subsystem       sftp    /usr/lib/ssh/sftp-server


AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser root
AuthenticationMethods publickey,password

Match User root
AuthenticationMethods password
PubkeyAuthentication no
PasswordAuthentication yes


passwd:         compat sss
group:          compat sss
shadow:         compat sss
sudoers:        sss files

hosts:          files dns
networks:       files dns

aliases:        files usrfiles
ethers:         files usrfiles
gshadow:        files usrfiles sss
netgroup:       files nis sss
protocols:      files usrfiles
publickey:      files
rpc:            files usrfiles
services:       files usrfiles

automount:      files nis
bootparams:     files
netmasks:       files

I fixed the problem for openSUSE 15.3 and also for SLES 12.4.
Just commented out these two lines in /etc/sudoers:

#Defaults targetpw   # ask for the password of the target user i.e. root
#ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!

Sounds like you want “filter_users = root” in sssd configuration so it performs local lookup.

#ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!

This is very unlikely to be the problem (except it is dangerous without “Defaults targtpw”).