From: mpitt@debian.org   
      
   Hello Marc and all,   
      
   Marc Haber [2026-02-10 14:50 +0100]:   
   > I was not aware that other things depended on that. We have discussed that   
   > numerous times inside the sudo team, and I think that I took that to -devel   
   > at least once, being well aware that our removing of the unmaintainable   
   > sudo-ldap might break things.   
   >   
   > I apologize for the additional work that this change caused despite the   
   > utmost care taken by the sudo team.   
      
   No worries! This wasn't meant as a blame, but as a discussion starter. I am not   
   familiar with the sudo-ldap deprecation, but that's (1) probably fine (you are   
   the expert here), and (2) I think only tangential for this bug.   
      
   > > But this is gone now. Consequently, libsss-sudo's postinst does not add   
   'sss'   
   > > any more, as there is no 'sudoers:' line, and the `sed` just changes an   
   > > existing one:   
   > >   
   > > -------------- 8< ---------------   
   > > 	if ! grep -q -E  -e '^sudoers:[^#]*\s(sss)(\s|#|$)' "${DPKG   
   ROOT}/etc/nsswitch.conf" ; then   
   > > 		# Installing sudoers/sss from libsss-sudo in position last   
   > > 		sed -E -i "${DPKG_ROOT}/etc/nsswitch.conf" -e '/^sudoers:\s[^#]*$/ s/$/   
   sss/' -e '/^sudoers:\s.*#/ s/#/ sss #/'   
   > > 	fi   
   > > -------------- 8< ---------------   
   > >   
   > > That leaves sssd configuration of sudo rules broken by default now. Could   
   > > libsss-sudo adopt the "create entry" code from the late libnss-sudo?   
      
   Doing that should fix the problem without the deprecated/removed libnss-sudo I   
   think, and it would be fairly unintrusive.   
      
   > Can you elaborate a bit on "sssd configuration of sudo rules"? The only   
   > thing I have ever seen (and tested) is sssd contributing to getent passewd,   
   > getent group et al.   
   >   
   > How would a test case to check "sssd configuration of sudo rules" look like?   
      
   Cockpit's test suite models a typical "large org" setup: Centralized user   
   management with https://tracker.debian.org/pkg/freeipa ; part of that is   
   maintaining users and their roles in LDAP. sssd abstracts away most of that,   
   i.e. provides the integration into NSS, for both passwd/groups and also   
   `sudoers`, so that these can be managed centrally through IPA as well. I.e. our   
   test (effectively) calls `realmd join` which calls `ipa-client-install`.   
      
   On the IPA server side, you need to run the output of `ipa-advise   
   enable-admins-sudo` to enable central sudoers management.   
      
   Setting all of this up is quite involved. If it's unclear how this happens,   
   I can spend an hour trying to replicate everything in a Debian testing VM with   
   just a FreeIPA container -- but I hope that can be done in a simpler way? I.e.   
   extending the above sed shell code in the postinst to create a missing entry   
   keeps the previous behaviour with libnss-sudo, and reduces the dependency   
   assumption.   
      
   Thanks,   
      
   Martin   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)