Bugzilla – Bug 152
Switched NIS to LDAP, cannot get sudo to validate user password
Last modified: 2004-11-22 01:06:41 MST
Running Solaris 9 904, with Java Directory server 5.2, and sudo 1.6.8p1. Reporting this problem running on a Sun Blade 150. It seems we can get sudo to function under LDAP but we cannot get sudo to validate the user password. Notice: eeyore:~dcarlson>6% sudo -l LDAP Config Summary =================== uri ldap://wizard.sunlab.usa-spaceops.com:389 ldap_version 3 sudoers_base ou=SUDOers,dc=sunlab,dc=usa-spaceops,dc=com binddn cn=proxyagent,ou=profile,dc=sunlab,dc=usa-spaceops,dc=com bindpw acceSSUP ssl (no) =================== ldap_initialize(ld,ldap://wizard.sunlab.usa-spaceops.com:389) ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03) ldap_bind() ok found:cn=defaults,ou=Sudoers,dc=sunlab,dc=usa-spaceops,dc=com ldap sudoOption: 'ignore_local_sudoers' ldap search '(|(sudoUser=dcarlson)(sudoUser=%osg)(sudoUser=%osg)(sudoUser=%flexlm)(sudoUser=%perf)(sudoUser=%shared)(sudoUser=%trajadm)(sudoUser=ALL))' found:cn=dcarlson,ou=Sudoers,dc=sunlab,dc=usa-spaceops,dc=com ldap sudoHost 'ALL' ... MATCH! found:cn=SUNLAB,ou=Sudoers,dc=sunlab,dc=usa-spaceops,dc=com ldap sudoHost 'ALL' ... MATCH! ldap search 'sudoUser=+*' user_matches=-1 host_matches=-1 sudo_ldap_check(50)=0x02 We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Password: LDAP Password: sudo: pam_authenticate: No account present for user We are logging in with LDAP and validation of passwords works fine then. I have tried to truss the password entry and I don't see sudo doing an PDAPsearch to acquire the password. Please, please, any assistance would be thoroughly appreciated.
I suppose it is possible you may need to add something to pam.conf. I'm going to assign this to Aaron and see what he thinks.
Dennis, I suspect this an issue with either your /etc/pam.conf or your /etc/nsswitch.conf. I'd be glad to help you debug it. You can send the files to aaron@spangler.ods.org directly if you don't want them to be included in the bug report. I might also need a copy of 'ls -l /usr/lib/security'. Thanks for your response. - Aaron
Dennis, Thanks for sending the files. I have looked over them and they look good for the most part. Some minor tweaks could be done but I don't believe them to be related to the problem at hand. Here are some steps to try to better narrow the problem: 1) Both su and sudo will use the 'other auth' lines in your /etc/pam.conf. If su is broken just like su then we have problems that are beyond sudo. If only sudo behaves this way, continue with the following steps. 2) Perform the following commands to turn off PAM debugging. Replace [TAB] with the TAB character on the keyboard. # touch /etc/pam_debug # echo "auth.debug[TAB]/etc/pam_debug" >> /etc/syslog.conf # pkill -HUP syslogd 3) Retry your original tests with sudo 4) Turn off pam debugging Remove the 'auth.debug' in /etc/syslog.conf Then do: pkill -HUP syslogd 5) Review the pam_debug file. It should give helpful information on which module complains and why. Go ahead and send the log to me and I would be glad to help you debug it. You might also repeat the tests but for 'su' as well so we can determine the differences. Make sure we use the same user and password in each case. - Aaron
From Carlson, Dennis H Hi Aaron, When you said I may have a configuration parameter wrong, I tried recompiling without "--with-pam" specified. Guess what? sudo works as advertised. I haven't gone back to attempt to analyze why sudo works, but it does. Now the only problem I observe is when I keyin "sudo sudo -l", I get "Sorry, user dcarlson is not allowed to execute "/opt/sfw/ bin/sudo -l" as root on wizard.", after password validation. All scripts we created for sudo now work. Unless you have a suggestion for this error, I guess we can live with it. Thanks for all your help.