[sudo-users] is not allowed to execute '/bin/su -' as root
Jeremy Hansen
jeremy at smokehabanos.com
Tue Mar 21 17:00:05 EST 2006
I'm attempting to setup sudo control via ldap. I seem to have most pieces
worked out but yet I'm unable to get sudo to allow my user to actually run
things.
Here's the info:
My defaults
dn: cn=defaults,ou=SUDOers,dc=blah,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: ignore_local_sudoers
User entry
dn: cn=jhansen,ou=SUDOers,dc=blah,dc=com
objectClass: top
objectClass: sudoRole
cn: jhansen
sudoUser: jhansen
sudoHost: ALL
sudoCommand: (ALL) ALL
Here is my output when I just try to do sudo su - as user jhansen
[jhansen at z000009 ~]$ sudo su -
LDAP Config Summary
===================
host z000009.blah.com
port 389
ldap_version 3
sudoers_base ou=SUDOers,dc=blah,dc=com
binddn (anonymous)
bindpw (anonymous)
ssl start_tls
===================
ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts")
ldap_init(z000009.blah.com,389)
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
ldap_start_tls_s() ok
ldap_bind() ok
found:cn=defaults,ou=SUDOers,dc=blah,dc=com
ldap sudoOption: 'ignore_local_sudoers'
ldap search
'(|(sudoUser=jhansen)(sudoUser=%jhansen)(sudoUser=%jhansen)(sudoUser=ALL))'
found:cn=jhansen,ou=SUDOers,dc=blah,dc=com
ldap sudoHost 'ALL' ... MATCH!
ldap sudoCommand '(ALL) ALL' ... not
ldap search 'sudoUser=+*'
user_matches=-1
host_matches=-1
sudo_ldap_check(0)=0x04
Password:
Sorry, user jhansen is not allowed to execute '/bin/su -' as root on
z000009.blah.com.
The session looks as if it finds my user, says there's a match, but it seems
to get something wrong on the sudoCommand entry...
Not really sure what's going on at this point.
My /etc/pam.d/sudo
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
Any helps is appreciated.
Thanks
-jeremy
More information about the sudo-users
mailing list