[sudo-users] Sudo, nss_ldap, SASL problem

Brandon Ewing marlboro at warningg.com
Fri Apr 20 12:16:33 EDT 2007


Greetings,

I am testing out a Kerberos/LDAP installation against a Microsoft AD server.
My test platform is CentOS 4.x running nss_ldap-226 and sudo-1.6.7p5 (both
from CentOS RPMs).

Currently, we are not using a binddn in /etc/ldap.conf to access the
Microsoft LDAP service - we are instead using SASL (with a cached machine
ticket) to authorize access to the LDAP service:

(/etc/ldap.conf):

use_sasl on
sasl_authid test$@EXAMPLE.COM
rootsasl_authid test$@EXAMLE.COM
rootuse_sasl yes

I am able to log in via Kerberos, and then getent passwd and get the full
user list - however, attempting to run sudo as a kerberos user results in
the following:

-bash-3.00$ getent passwd bob
bob:!:10000:10000:Bob Dole:/home:/bin/bash
-bash-3.00$ sudo su -
sudo: uid 10000 does not exist in the passwd file!

And in /var/log/messages:
Apr 20 10:51:49 localhost sudo: GSSAPI Error: Miscellaneous failure (No
credentials cache found)

Is there a solution to this, other than putting a binddn in the ldap.conf
(something we would prefer NOT to do)?

Brandon




More information about the sudo-users mailing list