Ubuntu
sudo package

sudo-ldap modifies nsswitch.conf from sss to ldap

Asked by Mario Mech

Our systems (server ubuntu 20.04, clients 22.04) are configured to get the sudoers directives from ldap with the help sssd. This works pretty well with having

sudoers: files sss

in /etc/nsswitch.conf. Whenever sudo-ldap is updated it gets changed to

sudoers: files ldap

This happens with the postinst script (line 25-28), where the line (sudoers: files ldap) is added. Unfortunately, I did not find where the old line containing the correct entries gets removed, which is the origin of the configuration trouble.

Is there a way to prevent that the update procedure changes /etc/nsswitch.conf?

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu sudo Edit question
Assignee:
No assignee Edit question
Solved by:
Mario Mech
Solved:
Last query:
Last reply:
Revision history for this message
shah (shahaast788) said : 		#2

The sudo-ldap package is an extension of the sudo package that allows system administrators to configure sudo to use an LDAP directory for sudo configuration data, instead of relying on local files or NIS.

When sudo-ldap is installed, it modifies the nsswitch.conf file to change the sudoers entry from sss to ldap, indicating that sudo should use the LDAP directory for sudo configuration data.

The nsswitch.conf file is the configuration file for the Name Service Switch (NSS) library, which determines the order and sources of various name services, including user authentication and authorization. Changing the sudoers entry from sss to ldap in nsswitch.conf instructs the NSS library to consult the LDAP directory for sudo configuration data, instead of using local files or NIS.

It's worth noting that modifying nsswitch.conf should be done with caution and only by experienced system administrators, as changes to this file can impact the system's overall functionality and security. read more https://apunkagames.cc/gta-games/

Revision history for this message
Mario Mech (mariomech) said : 		#3

Thank you very much for your reply. Although, it did not really answer my question, it pointed me to a misconfiguration on our systems by mixing the two approaches of using sudo-ldap and sssd for getting sudo directives from the ldap server. Getting rid of the sudo-ldap package and configuring sudo properly via sssd solved the problem.