[sudo-users] sudo 1.8.7 on RHEL6: unable to establish credentials: User not known to the underlying authentication module

Thu Jul 11 08:15:09 MDT 2013

Oops I misspoke, its sudoers      sss

http://linux.die.net/man/5/sssd-sudo

If you are just using the raw SSSD-ldap, I believe you just need: sudoers      ldap

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino | Sr. Information Security Specialist
GIAC | Certified Incident Handler
GIAC | WebApp Penetration Tester
GXPN | GIAC Advanced Penetration Tester and Exploit Researcher
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
T:  +1 805.690.3478
C: +1 805.717.0365
jr.aquino at citrixonline.com<mailto:jr.aquino at citrixonline.com>
http://www.citrixonline.com

On Jul 11, 2013, at 7:08 AM, "Michael Ströder" <michael at stroeder.com<mailto:michael at stroeder.com>> wrote:

HI!

I'm trying to upgrade to self-compiled sudo 1.8.7 on RHEL5.6 x86_64 with LDAP
as backend.
We're also using sssd-ldap which correctly works.

Build of RPM package 1.8.7 was done on RHEL5 with this commands:

/configure
 --prefix=/usr \
 --with-ldap \
 --with-pam \
 --with-pam-login \
 --with-editor=/bin/vi \
 --with-env-editor \
 --with-ignore-dot \
 --with-tty-tickets \
 --with-ldap \
 --with-selinux \
 --with-linux-audit \
 --with-passprompt="[sudo] password for %p: "
make && make package

The sudo-ldap configuration seems to be correct since everything works with
version 1.7.2p1 shipped with RHEL5.

It also works with self-compiled 1.8.7 package as expected but there's a
strange message output to console:

------------------- snip -------------------
[myusername at rhel5test ~]$ sudo -i
[..]
[sudo] password for myusername:
sudo: unable to establish credentials: User not known to the underlying
authentication module
------------------- snip -------------------

In /var/log/secure these message are written:

------------------- snip -------------------
Jul 11 15:54:06 rhel5test sudo: pam_unix(sudo-i:auth): authentication failure;
logname=myusername uid=21400161 euid=0 tty=/dev/pts/1 ruser=myusername rhost=
user=myusername
Jul 11 15:54:06 rhel5test sudo: pam_sss(sudo-i:auth): authentication success;
logname=myusername uid=21400161 euid=0 tty=/dev/pts/1 ruser=myusername rhost=
user=myusername
Jul 11 15:54:06 rhel5test sudo: myusername : TTY=pts/1 ; PWD=/home/myusername ;
USER=root ; COMMAND=/bin/bash
Jul 11 15:54:06 rhel5test sudo: myusername : unable to establish credentials:
User not known to the underlying authentication module ; TTY=pts/1 ;
PWD=/home/myusername ; USER=root ; COMMAND=/bin/
------------------- snip -------------------

I tried to disable various unneeded session-related config lines in
/etc/pam.d/* but still this message appears.
BTW: Same symptoms after upgrading to sudo 1.8.7 on SLES11SP2 x86_64.

Any clue how to track this down?
Maybe additional build options needed for 64 bit platform?

Many thanks in advance.

Ciao, Michael.

____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users