[Pkg-sssd-devel] Bug#770825: add sudoers entry to nsswitch.conf

Tue Feb 10 13:50:08 GMT 2026

[adding sudo at packages.debian.org to keep the sudo team in the loop]

Hi Martin,

good to hear from you.

On Mon, Feb 09, 2026 at 02:00:06PM +0100, Martin Pitt wrote:
>This has become much more relevant now. Marc removed libnss-sudo [1], whose
>postinst previously created the `sudoers: files` entry:
>
>-------------- 8< ---------------
>	if ! grep -q -E '^sudoers:' "${DPKG_ROOT}/etc/nsswitch.conf" ; then
>		echo "sudoers: " >> "${DPKG_ROOT}/etc/nsswitch.conf"
>	fi
>[...]
>	if ! grep -q -E  -e '^sudoers:[^#]*\s(files)(\s|#|$)' "${DPKG_ROOT}/etc/nsswitch.conf" ; then
>		# Installing sudoers/files from libnss-sudo in position first
>		sed -E -i "${DPKG_ROOT}/etc/nsswitch.conf" -e '/^sudoers:\s/ s/(:\s+)/\1files /'
>	fi
>-------------- 8< ---------------

I was not aware that other things depended on that. We have discussed 
that numerous times inside the sudo team, and I think that I took that 
to -devel at least once, being well aware that our removing of the 
unmaintainable sudo-ldap might break things.

I apologize for the additional work that this change caused despite the 
utmost care taken by the sudo team.

Sadly, the sudo team doesn't have enough LDAP knowledge to properly 
maintain sudo-ldap, and the LDAP "plugin" of sudo sadly never was a 
proper plugin upstream, making it necessary to have dedicated, 
conflicting binary packages for both feature sets (multiplying the 
effort necessary to provide packaged versions of "proper" sudo plugins).

I don't know why upstream never got around to make the LDAP plugin a 
proper plugin after implementing the plugin mechanism, but instead 
decided to keep it in the current "unicorn" state.

>But this is gone now. Consequently, libsss-sudo's postinst does not add 'sss'
>any more, as there is no 'sudoers:' line, and the `sed` just changes an
>existing one:
>
>-------------- 8< ---------------
>	if ! grep -q -E  -e '^sudoers:[^#]*\s(sss)(\s|#|$)' "${DPKG_ROOT}/etc/nsswitch.conf" ; then
>		# Installing sudoers/sss from libsss-sudo in position last
>		sed -E -i "${DPKG_ROOT}/etc/nsswitch.conf" -e '/^sudoers:\s[^#]*$/ s/$/ sss/' -e '/^sudoers:\s.*#/ s/#/ sss #/'
>	fi
>-------------- 8< ---------------
>
>That leaves sssd configuration of sudo rules broken by default now. Could
>libsss-sudo adopt the "create entry" code from the late libnss-sudo?

Hm. Why is that not caught in the sudo testsuite, which HAS a test case 
to configure slapd, sssd and sudo?

Can you elaborate a bit on "sssd configuration of sudo rules"? The only 
thing I have ever seen (and tested) is sssd contributing to getent 
passewd, getent group et al.

How would a test case to check "sssd configuration of sudo rules" look 
like?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421