Hi,
Ive joined an AD domain with sssd. Mostly everything work. But I can't get the sudoers permissions to work.

For testing I've tried the Domain Users group. But its not working.
I can getent passwd and getent group with the group name or user name or uid/gid.
I can login to the server.

My nsswitch.conf file
Code:
..
sudoers:        files
..
My sssd.conf
Code:
[sssd]
config_file_version = 2
debug_level = 7
services = nss,pam
domains = domain.com

[nss]
filter_users = root
filter_groups = root

[pam]


[domain/domain.com]
debug_level = 7
id_provider = ad
auth_provider = ad
enumerate = false
cache_credentials = true
case_sensitive = true

ad_domain = domain.com
ldap_search_base =ou=xx,ou=xx,dc=domain,dc=com

access_provider = ad
ad_access_filter = (memberOf=cn=xx,ou=xx,ou=xx,ou=xx,dc=domain,dc=com)

ad_gpo_ignore_unreadable = true
ad_gpo_access_control = disabled
My sudoers file
Code:
root ALL=(ALL) ALL
%domain\ users ALL=(ALL) ALL
I've also tried with domain\\domain\ users with @domain etc. But since I can search for "getent group domain\ users" and can login w/o any domain prefix I think the plain group name should be correct.

When I am sudo -l with a user of the domain users group I get

Code:
Matching Defaults entries for user on machine:
    always_set_home, secure_path=/usr/sbin\:/usr/bin\:/sbin\:/bin, env_reset,
    env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
    LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE",
    !insults, targetpw

User user may run the following commands on machine:
    (ALL) ALL
    (ALL) ALL
And when I do "sudo -i" I get asked for the roots password not my own. Even if I dont add a group but just my user to sudoers it doesn't work.



Thank you!