[sudo-users] Solaris 10 GMOsudo 1.7.0 integration with AD

Dimidis, Nick nick.dimidis at hp.com
Tue Sep 13 03:21:59 EDT 2011 

Hi,

I'm hoping that someone may be able to assist me with a problem encountered migrating UNIX servers from LDAP to AD

I'm working on an activity to migrate from ORACLE (SUN) LDAP to Microsoft AD

The current environment consists of a multitude of Solaris 10 and RedHat 5.5 servers authentication from LDAP (runs on a Solaris 10 server)
We use LDAP both for UNIX logins as well as SUDO (the Solaris servers use GMOsudo 1.7.0). All sudo rules are maintained in LDAP

On the test environment I'm using a Linux RedHat 5.5 server and a Solaris 10 server. All UNIX attributes and schemas have been extend in AD and the data imported (using ldif)

With Linux after few hickups, it all works nicely. Logon into the UNIX servers authenticates the password entered with the user's password stored in AD. Switching into another user also works (e.g. /opt/GMOsudo/bin/su - oracle). All sudo rules are held in AD

Regarding the Solaris server, users can logon the server with their password been authenticated with their password stored in AD.
However GMOsudo does not work

The GMOsudo 1.7.0 is the same used on the Solaris 10 servers that uses LDAP.

We put some traffic filters on the AD server and we noticed that

a)      Whilst we issue a sudo on the Linux server, the AD server gets a query (amongst user's id, info, passwd, etc), to return all sudoers information for the user, for all servers as stored in AD

b)      When we do the same on the Solaris server, we can only see user related information queries (i.e. authentication password), however we don't receive request for information on sudoers rules

The /etc/nsswitch.conf has been set to
passwd:     files ldap
group:      files ldap
sudoers:      ldap files

It appears that GMOsudo is looking only at the local sudoers files and does not go out to AD

Any suggestions where to start looking.

Thank you


Details of GMOsudo
# pkginfo -l GMOsudo
   PKGINST:  GMOsudo
      NAME:  GMOsudo 1.7.0
  CATEGORY:  utility
      ARCH:  sparc
   VERSION:  1.7.0
   BASEDIR:  /
    VENDOR:  GMO
    PSTAMP:  30Jan2009
  INSTDATE:  Sep 09 2011 16:30
     EMAIL:  geoff at unixsysadmin.net<mailto:geoff at unixsysadmin.net>
    STATUS:  completely installed
     FILES:       22 installed pathnames
                   3 shared pathnames
                   2 linked files
                  12 directories
                   3 executables
                   1 setuid/setgid executables
                 765 blocks used (approx


Nick Dimidis
Technical Consultant / Integration Engineering / HP Enterprise Services
Telephone +61 3 88047239 Mobile +61 402892926
Email nick.dimidis at hp.com<mailto:nick.dimidis at hp.com>

More information about the sudo-users mailing list