[sudo-users] Re: sudo+ldap+redhat (fedora)

Aaron Spangler aaron777 at gmail.com
Sun Jul 10 15:25:05 EDT 2005 

Thanks for the debugging information.  Sorry I took so long to respond.
For whatever reason, it appears that linux is unable to determine the
proper netgroups.  Sudo simply uses the netgr_matches() libc call that
is common on all Unix operating systems.

I suspect that since Linux itself is not able to read the netgroups
there might be some other issue not related to sudo.  Here are some
things to try:

1) I am assuming that your netgroup information is stored in LDAP. 
Verify that the 'netgroups' line in /etc/nsswitch.conf reads:

netgroups: ldap

2) Verify that nss_ldap is looking for the netgroups in the correct
place.  Check your /etc/ldap.conf and look for the line.  It should
point to the container in your LDAP server where the netgroup
information lives.

nss_base_netgroup  ou=Netgroup,dc=example,dc=com?one

Hopefully that should get you going.


On 5/11/05, jan.david at agfa.com <jan.david at agfa.com> wrote:
> 
> Hello Aaron,
> 
> I have been working with the SunOne directory server, Solaris and Sudo for
> a while now and it all works fine. Unfortunately, my boss decided that we
> needed to have some Linux servers and now things do not work so well
> anymore.
> 
> Maybe you can help me?
> 
> Here's the problem.
> 
> On Solaris, we have a netgroup called "ucc". In the /etc/nsswitch.conf file
> you'll find:
> 
> passwd: compat and in /etc/passwd you'll find:
> 
> + at ucc
> 
> Different users belong to this netgroup, such as me (account: eyorm).
> 
> If I perform a "sudo -l" on Solaris, it correctly looks up the netgroup,
> "ucc" and finds that since I belong to it, I can perform certain
> priviledged tasks.
> On Linux (Redhat Fedora) this does not quite seem to work. The netgroups
> are being looked up, but the users that belong to that group are not.
> 
> Note that sudo works if I put my account directly into the sudoRole or if I
> use a posixgroup (e.g. %wheel). It does not work with netgroups however. My
> guess is that this might have something to do with the padl libraries??
> 
> Here's the output of "sudo -l":
> 
> 
> $ sudo -l
> LDAP Config Summary
> ===================
> host         ldap1 ldap2
> port         389
> ldap_version 3
> sudoers_base ou=sudoers,dc=com,dc=agfa
> binddn       (anonymous)
> bindpw       (anonymous)
> ssl          no
> ===================
> ldap_init(ldap1 ldap2,389)
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
> ldap_bind() ok
> found:cn=defaults,ou=sudoers,dc=be,dc=local
> ldap sudoOption: 'logfile=/var/log/sudo.log'
> ldap sudoOption: 'lecture=never'
> ldap sudoOption: 'ignore_local_sudoers'
> ldap search
> '(|(sudoUser=eyorm)(sudoUser=%wheel)(sudoUser=%wheel)(sudoUser=%vrtsadm)(sudoUser=%f_cc_mq)(sudoUser=%wsa_user)(sudoUser=ALL))'
> ldap search 'sudoUser=+*'
> found:cn=legato,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+operations' ... not
> found:cn=saprouter,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+sap' ... not
> found:cn=nagiosadmin,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+nagios' ... not
> found:cn=smsadmin,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+nagios' ... not
> ldap sudoUser netgroup 'nagios' ... not
> found:cn=jcommerce,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+jcommerce' ... not
> found:cn=vcs,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+orausers' ... not
> ldap sudoUser netgroup 'lp0adm' ... not
> ldap sudoUser netgroup 'lp4adm' ... not
> found:cn=unixadmin,ou=sudoers,dc=be,dc=local     # This is the sudorole
> that should match. It finds the "ucc" netgroup to which I belong, but
> doesn't check the netgroup entries ...
> ldap sudoUser netgroup '+ucc' ... not
> ldap sudoUser netgroup '+dba' ... not
> ldap sudoUser netgroup 'unixcc' ... not
> ldap sudoUser netgroup 'support' ... not
> found:cn=mfskbt,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+mfs' ... not
> found:cn=mfskbd,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+mfs' ... not
> found:cn=sapportal,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+sap' ... not
> found:cn=eccadmin,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+webusers' ... not
> found:cn=autonomy,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup 'autonomy' ... not
> ldap sudoUser netgroup 'amctd' ... not
> ldap sudoUser netgroup 'amady' ... not
> ldap sudoUser netgroup 'agpvd' ... not
> ldap sudoUser netgroup 'amgxz' ... not
> ldap sudoUser netgroup '+operations' ... not
> found:cn=rdmpasswd,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+operations' ... not
> found:cn=ioscadmin,ou=sudoers,dc=be,dc=local
> ldap sudoUser netgroup '+iosc' ... not
> user_matches=0
> host_matches=0
> sudo_ldap_check(50)=0x44
> eyorm is not in the sudoers file.  This incident will be reported.
> 
> 
> Any help would be appriciated.
> 
> Best Regards,
> 
> Jan
> 
>

More information about the sudo-users mailing list