I have several Linux distributions (openSUSE/Ubuntu/centOS) running with user management in Active Directory and connected via SSSD.
Also SSH Public Keys and SUDO rules are defined in AD.
All Linux hosts have basically the same setup for this.
- chrony/ntpd/systemd-timesyncd is using the same time source as the domain controller
- DNS of domain controller is used
- AD domain join via realmd
All distributions share the same configuration for SSSD, SSH and NSSwtich.
openSUSE LEAP 15.3 is behaving strangely:
After log in an AD account via SSH, I can list sudo permissions for that account with
sudo -l
and the correct permissions, which are defined in AD, get listed:
> sudo -l
[sudo] password for myuser@mydomain.int:
Matching Defaults entries for myuser@mydomain.int on openSUSE15Test2:
env_keep+=SSH_AUTH_SOCK, targetpw
User myuser@mydomain.int may run the following commands on openSUSE15Test2:
(root) ALL
(ALL) ALL
So SSSD sudo provider is working and also caching the correct rules.
Also
id myuser@mydomain.int
shows correct UID and GIDs.
If the account wants to make use of sudo, the following error occurs:
> sudo less /etc/sudoers
[sudo] password for root:
sudo: PAM authentication error: User not known to the underlying authentication module
sudo: a password is required
So given that the other distributions play nicely with this setup and let AD accounts use sudo with rules defined in AD, I suspect that this error is related to PAM configuration.
I have not touched PAM configuration yet, for either openSUSE or another distribution.
Can anyone hint me in a direction how to get this solved?
Relevant configuration files:
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam, ssh, sudo
domains = mydomain.int
debug_level = 10
[nss]
debug_level = 10
[pam]
debug_level = 10
[sudo]
debug_level = 10
[domain/mydomain.int]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = MYDOMAIN.INT
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = mydomain.int
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = simple
simple_allow_groups = Unix admins@MYDOMAIN.INT
ldap_user_ssh_public_key = sshPublicKey
/etc/ssh/sshd_config
AuthorizedKeysFile .ssh/authorized_keys
UsePAM yes
X11Forwarding yes
Subsystem sftp /usr/lib/ssh/sftp-server
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser root
AuthenticationMethods publickey,password
Match User root
AuthenticationMethods password
PubkeyAuthentication no
PasswordAuthentication yes
/etc/nsswitch.conf
passwd: compat sss
group: compat sss
shadow: compat sss
sudoers: sss files
hosts: files dns
networks: files dns
aliases: files usrfiles
ethers: files usrfiles
gshadow: files usrfiles sss
netgroup: files nis sss
protocols: files usrfiles
publickey: files
rpc: files usrfiles
services: files usrfiles
automount: files nis
bootparams: files
netmasks: files