[sudo-users] Re: sudo+ldap+redhat (fedora)
Aaron Spangler
aaron777 at gmail.com
Sun Jul 10 15:25:05 EDT 2005
Thanks for the debugging information. Sorry I took so long to respond.
For whatever reason, it appears that linux is unable to determine the
proper netgroups. Sudo simply uses the netgr_matches() libc call that
is common on all Unix operating systems.
I suspect that since Linux itself is not able to read the netgroups
there might be some other issue not related to sudo. Here are some
things to try:
1) I am assuming that your netgroup information is stored in LDAP.
Verify that the 'netgroups' line in /etc/nsswitch.conf reads:
netgroups: ldap
2) Verify that nss_ldap is looking for the netgroups in the correct
place. Check your /etc/ldap.conf and look for the line. It should
point to the container in your LDAP server where the netgroup
information lives.
nss_base_netgroup ou=Netgroup,dc=example,dc=com?one
Hopefully that should get you going.
On 5/11/05, jan.david at agfa.com <jan.david at agfa.com> wrote:
>
> Hello Aaron,
>
> I have been working with the SunOne directory server, Solaris and Sudo for
> a while now and it all works fine. Unfortunately, my boss decided that we
> needed to have some Linux servers and now things do not work so well
> anymore.
>
> Maybe you can help me?
>
> Here's the problem.
>
> On Solaris, we have a netgroup called "ucc". In the /etc/nsswitch.conf file
> you'll find:
>
> passwd: compat and in /etc/passwd you'll find:
>
> + at ucc
>
> Different users belong to this netgroup, such as me (account: eyorm).
>
> If I perform a "sudo -l" on Solaris, it correctly looks up the netgroup,
> "ucc" and finds that since I belong to it, I can perform certain
> priviledged tasks.
> On Linux (Redhat Fedora) this does not quite seem to work. The netgroups
> are being looked up, but the users that belong to that group are not.
>
> Note that sudo works if I put my account directly into the sudoRole or if I
> use a posixgroup (e.g. %wheel). It does not work with netgroups however. My
> guess is that this might have something to do with the padl libraries??
>
> Here's the output of "sudo -l":
>
>
> $ sudo -l
> LDAP Config Summary
> ===================
> host ldap1 ldap2
> port 389
> ldap_version 3
> sudoers_base ou=sudoers,dc=com,dc=agfa
> binddn (anonymous)
> bindpw (anonymous)
> ssl no
> ===================
> ldap_init(ldap1 ldap2,389)
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
> ldap_bind() ok
> found:cn=defaults,ou=sudoers,dc=be,dc=local
> ldap sudoOption: 'logfile=/var/log/sudo.log'
> ldap sudoOption: 'lecture=never'
> ldap sudoOption: 'ignore_local_sudoers'
> ldap search
> '(|(sudoUser=eyorm)(sudoUser=%wheel)(sudoUser=%wheel)(sudoUser=%vrtsadm)(sudoUser=%f_cc_mq)(sudoUser=%wsa_user)(sudoUser=ALL))'
> ldap search 'sudoUser=+*'
> found:cn=legato,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+operations' ... not
> found:cn=saprouter,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+sap' ... not
> found:cn=nagiosadmin,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+nagios' ... not
> found:cn=smsadmin,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+nagios' ... not
> ldap sudoUser netgroup 'nagios' ... not
> found:cn=jcommerce,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+jcommerce' ... not
> found:cn=vcs,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+orausers' ... not
> ldap sudoUser netgroup 'lp0adm' ... not
> ldap sudoUser netgroup 'lp4adm' ... not
> found:cn=unixadmin,ou=sudoers,dc=be,dc=local # This is the sudorole
> that should match. It finds the "ucc" netgroup to which I belong, but
> doesn't check the netgroup entries ...
> ldap sudoUser netgroup '+ucc' ... not
> ldap sudoUser netgroup '+dba' ... not
> ldap sudoUser netgroup 'unixcc' ... not
> ldap sudoUser netgroup 'support' ... not
> found:cn=mfskbt,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+mfs' ... not
> found:cn=mfskbd,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+mfs' ... not
> found:cn=sapportal,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+sap' ... not
> found:cn=eccadmin,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+webusers' ... not
> found:cn=autonomy,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup 'autonomy' ... not
> ldap sudoUser netgroup 'amctd' ... not
> ldap sudoUser netgroup 'amady' ... not
> ldap sudoUser netgroup 'agpvd' ... not
> ldap sudoUser netgroup 'amgxz' ... not
> ldap sudoUser netgroup '+operations' ... not
> found:cn=rdmpasswd,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+operations' ... not
> found:cn=ioscadmin,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+iosc' ... not
> user_matches=0
> host_matches=0
> sudo_ldap_check(50)=0x44
> eyorm is not in the sudoers file. This incident will be reported.
>
>
> Any help would be appriciated.
>
> Best Regards,
>
> Jan
>
>
More information about the sudo-users
mailing list