[sudo-users] Same U/N - different UID's -- trying to usesudoinscripts across subnets.

Galen Johnson Galen.Johnson at sas.com
Tue Dec 19 18:47:23 EST 2006 

It sounds like you're actually running it via an ssh command?  If so, it may be your login password it's prompting you for.  If this is the case, look into keychain and ssh keys (or configure host-based authentication in ssh). 

=G=

-----Original Message-----
From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Peter Farrell
Sent: Tuesday, December 19, 2006 4:48 PM
To: sudo-users at sudo.ws
Subject: Re: [sudo-users] Same U/N - different UID's -- trying to usesudoinscripts across subnets.

On 19/12/06, Galen Johnson <Galen.Johnson at sas.com> wrote:
> I wouldn't have thought so.  I'm going to assume that you are using /etc/passwd.  On the server that doesn't work (assume SERVER-B), does 'grep 731 /etc/passwd' return more than one result?
>
> What happens when you run 'sudo -u nagios amcheck' on this server?

Two servers:
A = nagios server
B = amanda server

>From A to B - always fails (it prompts user nagios for a password)
On B, as user nagios - it works a treat.
I run:
# su - nagios
$nagios> sudo -u amanda amcheck daily
and it's happy days and sunshine...
When the user nagios - runs the python script from the Nagios server on the Amanda server - it's not so happy... and don't even ask about the sunshine... (I'm in Cardiff, Wales)

>From the python: amcheck.py
...
# Run amcheck
handle, logname = tempfile.mkstemp()

result = os.system("sudo -u amanda /usr/local/amanda/sbin/amcheck %s > %s 2> %s" %
    (configuration, logname, logname))
...

This script is running as user nagios.
So - for this line to work: 'sudo -u amanda /usr/local/amanda/sbin/amcheck'
I set up sudoers for the user nagios - on the server where the script runs (AMANDA server) thinking this is what I needed... but when I run w/ a trace from the originating machine (NAGIOS server), the script always prompts for a password.

I think I'm just going to blow the whole thing out and write a simpler script in Bash that uses ssh to execute the command...

Thanks for your input.
-Peter




> =G=
>
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com 
> [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Peter Farrell
> Sent: Tuesday, December 19, 2006 2:35 PM
> To: sudo-users at sudo.ws
> Subject: Re: [sudo-users] Same U/N - different UID's -- trying to use sudoinscripts across subnets.
>
> On 19/12/06, Galen Johnson <Galen.Johnson at sas.com> wrote:
> > Does the nagios user share a numeric ID on the server that prompts you?  Unix doesn't care about the name so much as the numeric ID associated with it.
> >
>
> The nagios users on both servers have different UIDs.
> So: SERVER-A::nagios::501 >>> SERVER-B::nagios::731 sudo amcheck 
> [FAIL]
>
> They'll have to have the same UID's for this to work right?
>
> -Peter
>
>
> > As for the NOPASSWD on a specific command, you should be able to use the full path to amcheck.  I generally prefer to use command aliasesso as an example:
> >
> > Runas_Alias     AMUSER=amanda
> > Command_Alias   AMANDA=/path/to/amcheck
> >
> > nagios ALL=NOPASSWD:(AMUSER)AMANDA
> >
> > Unless you need amcheck to run as root, substitute (root) for (AMUSER).
> >
> > =G=
> >
> > -----Original Message-----
> > From: sudo-users-bounces at courtesan.com 
> > [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Peter Farrell
> > Sent: Tuesday, December 19, 2006 10:53 AM
> > To: sudo-users at sudo.ws
> > Subject: [sudo-users] Same U/N - different UID's -- trying to use sudo inscripts across subnets.
> >
> > Hi.
> >
> > I'm trying to get my nagios user to run an AMANDA 'amcheck' command via a python check script.
> >
> > Works fine on the backup server.
> > Will not work across the network. (It always prompts for the 
> > password)
> >
> > The only difference is that the usernames are the same (nagios) but their UID's (calling sudo) on each server are different.
> >
> > I used this on the target server:
> > nagios ALL=NOPASSWD:ALL
> >
> > *couldn't figure out how to use 'NOPASSWD' and a specific command 
> > (in this case 'amcheck' - didn't know if because it is an SUID file 
> > that that would pose a problem.)
> >
> > ================
> > all FC4 / sudo-1.6.8p8-2.2
> > ================
> >
> > My question to the list is two-fold:
> >
> > 1. Am I correct in the reason that it won't work?
> > 2. Is there a work-around? (Aside from changing the UID's on both 
> > servers to match?)
> >
> > -thank you.
> >
> > -Peter
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws> For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> >
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws> For list information, 
> > options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> >
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws> For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list