[sudo-users] [RESOLVED] Re: sudo-ldap works with !authenticate only

Olivia Nelson the.warl0ck.1989 at gmail.com
Mon Sep 9 06:02:46 MDT 2019 

Resolved. pam_unix must be placed before pam_sss to make it work.

On Mon, Sep 9, 2019 at 5:20 PM Olivia Nelson <the.warl0ck.1989 at gmail.com> wrote:
>
> I forget to attach these logs:
>
> # Without !authenticate:
>
> sudo: searching LDAP for sudoers entries
> sudo: ldap sudoRunAsUser 'ALL' ... MATCH!
> sudo: ldap sudoCommand 'ALL' ... MATCH!
> sudo: ldap sudoCommand '!/bin/cp' ... MATCH!
> sudo: Command allowed
> sudo: LDAP entry: 0x5604a5543930
> sudo: done with LDAP searches
> sudo: user_matches=true
> sudo: host_matches=true
> sudo: sudo_ldap_lookup(0)=0x02
>
> We trust you have received the usual lecture from the local System
> Administrator. It usually boils down to these three things:
>
>     #1) Respect the privacy of others.
>     #2) Think before you type.
>     #3) With great power comes great responsibility.
>
> [sudo] password for test:
> Sorry, try again
>
> On Mon, Sep 9, 2019 at 5:18 PM Olivia Nelson <the.warl0ck.1989 at gmail.com> wrote:
> >
> > I'm trying to setup sudo-ldap in a clean CentOS 7 docker environment.
> > I've successfully setup sssd and PAM authentication, and it works.
> >
> > However, sudo-ldap works only if !authenticate is set:
> >
> > ---------------
> > # LDIF file
> >
> > dn: cn=test,ou=SUDOers,ou=People,dc=srv,dc=world
> > objectClass: top
> > objectClass: sudoRole
> > cn: test
> > sudoUser: test
> > sudoHost: ALL
> > sudoRunAsUser: ALL
> > sudoCommand: ALL
> > sudoCommand: !/bin/cp
> > sudoOption: !authenticate
> >
> > # result of sudo cp:
> >
> > sudo: searching LDAP for sudoers entries
> > sudo: ldap sudoRunAsUser 'ALL' ... MATCH!
> > sudo: ldap sudoCommand 'ALL' ... MATCH!
> > sudo: Command allowed
> > sudo: LDAP entry: 0x564d56cb9960
> > sudo: done with LDAP searches
> > sudo: user_matches=true
> > sudo: host_matches=true
> > sudo: sudo_ldap_lookup(0)=0x02
> > sudo: removing reusable search result
> > cp: missing file operand
> > Try 'cp --help' for more information.
> > ---------------
> >
> > If I remove `sudoOption: !authenticate`, it prompts me for password,
> > but it's always wrong:
> >
> > sudo: pam_sss(sudo:auth): authentication failure; logname= uid=2000
> > euid=0 tty=/dev/console ruser=test rhost= user=test
> >
> > I got the above line even before I type the password, but I can use
> > the same password to login via SSH, so it's a sudo issue.
> >
> > What do you think?

More information about the sudo-users mailing list