[sudo-users] listpw/verifypw issues with sssd and ldap
Michael Fischer
mfischer at zendesk.com
Thu Apr 7 18:02:16 MDT 2016
It appears there's a bug in sudo (at least as of 1.8.9p5) that prevents
listpw and verifypw from working as expected in LDAP environments:
Here are the conditions:
- /etc/nsswitch.conf has "sudoers: files sss" or "sudoers: files ldap"
- the listpw and verifypw options are left at defaults (listpw: any,
verifypw: all)
- user bob's sudoers rules are as follows:
in /etc/sudoers:
bob ALL=NOPASSWD:/some/command
in LDAP (translated for readability):
bob ALL=/some/other/command
Expected outcome: "sudo -v" prompts for a password
Actual outcome: "sudo -v" does not prompt for a password
However, If I add the following line to /etc/sudoers:
bob ALL=/yet/another/command
Then, "sudo -v" will prompt for a password.
The evidence suggests to me that rules stored in LDAP are not being
evaluated for the purpose of determining whether "All the user's sudoers
entries for the current host [] have the NOPASSWD flag set."
Thanks,
--Michael
More information about the sudo-users
mailing list