[sudo-users] AIX sudo - Unable to match host LDAP netgroup.
Todd C. Miller
Todd.Miller at sudo.ws
Thu Mar 31 09:08:25 MDT 2022
By default, sudo uses the system's innetgr() function to determine
whether or not a user or host is a member of a netgroup. Sudo's
netgr_matches() function calls innetgr().
Mar 30 16:21:55 sudo[3015636] -> host_matches @ ./match.c:328
Mar 30 16:21:55 sudo[3015636] -> netgr_matches @ ./match.c:645
Mar 30 16:21:55 sudo[3015636] -> sudo_getdomainname @ ./match.c:590
Mar 30 16:21:55 sudo[3015636] <- sudo_getdomainname @ ./match.c:622 := (null)
Mar 30 16:21:55 sudo[3015636] netgroup hgrp_test matches (hiabld1|hiabld1, ,): false @ netgr_matches() ./match.c:671
Mar 30 16:21:55 sudo[3015636] <- netgr_matches @ ./match.c:674 := false
Mar 30 16:21:55 sudo[3015636] <- host_matches @ ./match.c:360 := -1
>From the above I can see that sudo's netgr_matches() is trying to
match host hiabld1 to netgroup hgrp_test but innetgr() returns false.
I'm far from an AIX expert but from what I've read it seems like
AIX doesn't support netgroups natively unless you are using some
flavor of NIS. Based on:
https://www.ibm.com/docs/en/aix/7.1?topic=files-usrlibsecuritymethodscfg-file
it looks like to enable LDAP netgroups you would need to add:
options = netgroup
to the LDAP section in /usr/lib/security/methods.cfg and _also_ set
the registry and SYSTEM values in /etc/security/user to "compat"
instead of LDAP.
Unfortunately, I don't know of a good way to look up netgroups from
the shell, short of writing a small C program to call innetgr()
directly.
While sudo can query the LDAP nisNetgroup object directly by setting
NETGROUP_BASE in ldap.conf this is currently only used to determine
what netgroups a user is a member of. It is not used for host-based
netgroups at all--the system's native netgroup support is used for
that.
- todd
More information about the sudo-users
mailing list