[sudo-users] sudo and nss_db fails to find group
Samuel Kesterson
skesterson at hotels.com
Mon Mar 2 10:03:44 MST 2015
Hello sudo-users,
I have several boxes (all configured with chef) which are using db
files for user identification. sudo works on some of them, and not on
others. The problem seems to be that sudo doesn't read nsswitch.conf or
something. Here is the behavior:
[sysadmin at pheleanstbods002 ~]$ sudo egrep
'(FULLSUDOEXCLUSIONS|eanops_sudo)' /etc/sudoers.d/ean
Cmnd_Alias FULLSUDOEXCLUSIONS = /usr/bin/sudo -s, /bin/su
-, /usr/bin/sudo sh, /usr/bin/sudo tcsh
%eanops_sudo ALL = (ALL) NOPASSWD: ALL, !FULLSUDOEXCLUSIONS
[sysadmin at pheleanstbods002 ~]$ getent group eanops_sudo
eanops_sudo:x:100267:skesterson
[sysadmin at pheleanstbods002 ~]$ sudo su - skesterson
[skesterson at pheleanstbods002 ~]$ sudo ls
[sudo] password for skesterson:
So my question is - what could be causing it to prompt for a password?
I've copied the contents of a working server's /etc/pam.d to this
one and it changes nothing. I've exhausted all of my google-fu to come
up with an answer. My suspiciion is that sudo isn't looking up the
group according to nsswitch.conf (below). I suspect this because if I
put the group line in the /etc/group flat file, everything works as
expected.
passwd: db files
shadow: db files
group: db files
netgroup: db files
Does anyone have any ideas or directions to point me in
troubleshooting?
Thanks in advance
More information about the sudo-users
mailing list