Comment 2 for bug 1249777

I know that the sudo package did not change _at all_ since Raring, where the problem didn't show up. sssd on the other hand changed quite a lot.

It affects both local and LDAP users. I don't have any sudo config in LDAP, which is probably the problem.

What I believe happens is that either or both of sudo and sssd do not correctly cope with the situation of the sudo configuration not being available in the sssd backing store. Sudo asks sssd for the "cn=defaults" entry from LDAP, sssd looks for it, doesn't find anything and returns an error. Sudo sees the error and complains.

I can come up with three possible solutions:

1) patch sudo to not log a message when sssd returns an error.
=> probably not the best solution, since we may miss real errors, too.

2) patch sssd to not return an error when the configuration isn't found.
=> probably slightly better than (1), but we still might miss real errors (I think). BTW, the offending code starts here: https://git.fedorahosted.org/cgit/sssd.git/tree/src/sss_client/sudo/sss_sudo.c#n109

3) patch the sssd package to not alter the nsswitch.conf.
=> this is probably the best solution. I think the people that store the sudo config in LDAP are quite the minority. I also think that those people know that they need to modify their nsswitch.conf for their configuration to work. Goes a bit against the spirit of Ubuntu, though.