Bug 608

Summary: sudo uses incorrect kerberos credential cache file, fails when configured for ldap on Cent 6
Product: Sudo Reporter: Ryanne Fox <ryannekfox>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.7   
Hardware: PC   
OS: Linux   

Description Ryanne Fox 2013-07-16 17:16:02 MDT 
Reproduced with 1.8.7-1.el6 rpm from sudo website, and 1.8.6p3-7.el6 from cent-current.

[rfox@client PROD ~]$ /opt/likewise/bin/klist 
Ticket cache: FILE:/tmp/krb5cc_108139
Default principal: rfox@example.com

Valid starting     Expires            Service principal
07/16/13 15:50:32  07/17/13 01:50:32  krbtgt/example.com@example.com
	renew until 07/17/13 03:50:32
07/16/13 15:50:32  07/17/13 01:50:32  host/client.example.com@
	renew until 07/17/13 03:50:32
07/16/13 15:50:32  07/17/13 01:50:32  host/client.example.com@example.com
	renew until 07/17/13 03:50:32
07/16/13 14:20:54  07/17/13 00:20:31  ldap/dc001.example.com@example.com
	renew until 07/17/13 02:20:32
07/16/13 14:21:16  07/17/13 00:20:31  ldap/dc002.example.com@example.com
	renew until 07/17/13 02:20:32

[rfox@client PROD ~]$ id       
uid=108139(rfox) ...

[rfox@client PROD ~]$ sudo -l
sudo: ldap_sasl_interactive_bind_s(): Local error
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin

From /var/log/messages:
Jul 16 16:01:28 client sudo: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache file '/tmp/krb5cc_0' not found)

[rfox@client PROD ~]$ ln -s /tmp/krb5cc_108139 /tmp/krb5cc_0
[rfox@client PROD ~]$ sudo -l
[sudo] password for rfox: 
User rfox may run the following commands on this host:
    (root) ALL
Comment 1 Todd C. Miller 2013-07-22 16:39:23 MDT 
I suspect this is because the sudoers LDAP code runs with real and effective UIDs set to zero.  What is the value of the KRB5CCNAME environment variable?
Comment 2 Ryanne Fox 2013-07-26 11:04:41 MDT 
[rfox@client PROD ~]$ echo $KRB5CCNAME
FILE:/tmp/krb5cc_108139
Comment 3 Todd C. Miller 2013-07-29 12:53:23 MDT 
Please try one of the sudo-1.8.7-2.el6 rpms from ftp://ftp.sudo.ws/pub/millert/sudo/ and let me know if that works for you.
Comment 4 Ryanne Fox 2013-07-29 16:57:18 MDT 
Thank you for this patch.  I tested it out this afternoon.  It changed the behavior, but did not succeed.

With sudo-1.8.7-2.el6.x86_64

[rfox@client PROD ~]$ sudo -l
[sudo] password for rfox: 
User rfox is not allowed to run sudo on s2plpkiswapp01.

Creating a symlink to /tmp/krb5cc_0 still allows it to succeed.
Comment 5 Todd C. Miller 2013-07-30 15:36:28 MDT 
I found a problem with the patch.  I've updated the packages at ftp://ftp.sudo.ws/pub/millert/sudo/ though it may be simpler for you to just update the /usr/libexec/sudo/sudoers.so file with sudoers.so.el6.i386 or sudoers.so.el6.x86_64
Comment 6 Ryanne Fox 2013-07-30 16:51:46 MDT 
I'm afraid there's no difference in behavior from the last test.
Comment 7 Todd C. Miller 2013-07-31 16:14:10 MDT 
There was an error in the last version.  Can you try just replacing sudoers.so with the new version from ftp://ftp.sudo.ws/pub/millert/sudo/?
Comment 8 Ryanne Fox 2013-08-01 12:38:44 MDT 
The latest patch worked for me.  Thank you!
Comment 9 Todd C. Miller 2013-08-17 05:44:14 MDT 
The fix is present in sudo 1.8.8b1, which available now.
Comment 10 Todd C. Miller 2013-09-30 09:32:57 MDT 
Fixed in sudo 1.8.8