Home / ubuntu / Questions / 912176
Accepted
Tilman
Asked: 2017-05-06 04:05:38 +0800 CST

How to prevent sssd package from modifying nsswitch.conf

  • 772

We are running sssd on a number of Xenial servers to authenticate against Active Directory.

Upon installation, the sssd package added sss to most lines in /etc/nsswitch.conf as documented in https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-nsswitch . Regrettably, this includes the sudoers line, which results in an error message

problem with defaults entries

being mailed to the root account for every single use of sudo, which in our case includes an important number of cron jobs resulting in a lot of mails.

This is easily fixed by manually removing sss from that line again. However, each update of the sssd package re-adds that unwanted entry, triggering another flood of mails before we manually remove it again.

How can we avoid that?

apt

1 Answers

  1. Best Answer

    The solution on the bug report is to disable sudo support. From the link:

    As a workaround that doesn't require changing /etc/nsswitch.conf, you can also explicitely disable sudo support for your sssd domain :

    [sssd]
services = nss, pam, sudo

[mydomain/LDAP]
sudo_provider = none

    This is easily fixed by manually removing sss from that line again. However, each update of the sssd package re-adds that unwanted entry, triggering another flood of mails before we manually remove it again.

    An update should not change a configuration file. Configuration files contain specific directives for your system and not for all systems for all users. I would consider that a bug.

    • 1