sssd: disable sudo by default

SSSD's sudo responder is not enabled by default on Fedora systems,
therefore having it enabled in nsswitch.conf produced warnings in
logs or sudo mails.

profiles/sssd/README

@@ -50,6 +50,9 @@ with-fingerprint::
 with-silent-lastlog::
     Do not produce pam_lastlog message during login.
 
+with-sudo::
+    Allow sudo to use SSSD as a source for sudo rules in addition of /etc/sudoers.
+
 EXAMPLES
 --------
 

profiles/sssd/nsswitch.conf

@@ -3,7 +3,7 @@ group:      sss files
 netgroup:   sss files
 automount:  sss files
 services:   sss files
-sudoers:    files sss
+sudoers:    files {if "with-sudo":sss}
 
 shadow:     files
 ethers:     files