[sudo-users] sudo and nss_db fails to find group

Samuel Kesterson skesterson at hotels.com
Mon Mar 2 10:03:44 MST 2015

Hello sudo-users,

     I have several boxes (all configured with chef) which are using db 
files for user identification. sudo works on some of them, and not on 
others. The problem seems to be that sudo doesn't  read nsswitch.conf or 
something. Here is the behavior:

             [sysadmin at pheleanstbods002 ~]$ sudo egrep 
'(FULLSUDOEXCLUSIONS|eanops_sudo)' /etc/sudoers.d/ean
             Cmnd_Alias FULLSUDOEXCLUSIONS = /usr/bin/sudo -s, /bin/su 
-, /usr/bin/sudo sh, /usr/bin/sudo tcsh
             %eanops_sudo ALL = (ALL) NOPASSWD: ALL, !FULLSUDOEXCLUSIONS

             [sysadmin at pheleanstbods002 ~]$ getent group eanops_sudo

             [sysadmin at pheleanstbods002 ~]$ sudo su - skesterson

             [skesterson at pheleanstbods002 ~]$ sudo ls
             [sudo] password for skesterson:

     So my question is - what could be causing it to prompt for a password?

     I've copied the contents of a working server's /etc/pam.d to this 
one and it changes nothing. I've exhausted all of my google-fu to come 
up with an answer.  My suspiciion is that sudo isn't looking up the 
group according to nsswitch.conf (below). I suspect this because if I 
put the group line in the /etc/group flat file, everything works as 

             passwd: db files
             shadow: db files
             group: db files
             netgroup: db files

     Does anyone have any ideas or directions to point me in 

Thanks in advance

More information about the sudo-users mailing list