sudo, unix-groups and ldap
aaron at spangler.ods.org
Wed Dec 10 00:26:46 EST 2003
I believe having a group listed in both local & LDAP is confusing your Linux box. (Its like
having your account listed both in /etc/passwd and in LDAP.)
I recommend the following two changes:
1. In LDAP, remove xf01070 from the ldap group 'nobody'.
2. Change the primary group id (GID) of the ldap user xf01070 to be 65534. This way you are
guaranteed to get the group that you want. You will need to logout & login for Linux to pick up
Also before running sudo, try running 'id -a' and verifying that you belong to the groups you
believe you belong to.
I hope this helps.
> Message: 1
> Date: Wed, 3 Dec 2003 14:06:01 +0100 (MET)
> From: "Heinz Ahrens" <xf01070 at gmx.de>
> Subject: sudo, unix-groups and ldap
> To: sudo-users at sudo.ws
> Message-ID: <26029.1070456761 at www51.gmx.net>
> Content-Type: text/plain; charset="iso-8859-1"
> Hallo sudo-users,
> i have got a problem and i can not get the answer. I want to use sudo with
> ldap on SuSE United Linux 1.0:
> In my example i have get the local group in /etc/group and one over ldap:
> xf01070 at nilix:~> getent group|fgrep nogroup
> nogroup:x:65534:nobody -> local entry
> nogroup:x:65534:xf01070 -> remote entry
> because of /etc/nsswitch.conf:
> group: files ldap
> And here is the problem. In /etc/suders i want that my user xf01070 get
> access because of the unix-group:
> Cmnd_Alias ID = /usr/bin/id
> %nogroup ALL=(nobody) NOPASSWD: ID
> Because of the sequence "files ldap" and not "ldap files" the user is not in
> the group "%nogroup". But i can not change the squence to "ldap files"
> because of problems with booting.
> Perhaps someone can help me
> Heinz Ahrens
> xf01070 at gmx.de
> +++ GMX - die erste Adresse für Mail, Message, More +++
> Neu: Preissenkung für MMS und FreeMMS! http://www.gmx.net
More information about the sudo-users