[sudo-users] AIX sudo - Unable to match host LDAP netgroup.

Thu Mar 31 10:07:48 MDT 2022

That is interesting.  It would be nice to have sudo pull in the netgroup hosts in the defined ldap as well.

I will keep hacking on AIX.

Thank you,
Hil

-----Original Message-----
From: Todd C. Miller <Todd.Miller at sudo.ws>
Sent: Thursday, March 31, 2022 10:08 AM
To: Palmer, Hil S. <Hilary.Palmer at unitypoint.org>
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] AIX sudo - Unable to match host LDAP netgroup.

WARNING! This email originated from outside of the organization. Do not click links or open attachments unless you know the content is safe. Never provide your userID and password!

By default, sudo uses the system's innetgr() function to determine whether or not a user or host is a member of a netgroup.  Sudo's
netgr_matches() function calls innetgr().

Mar 30 16:21:55 sudo[3015636] -> host_matches @ ./match.c:328 Mar 30 16:21:55 sudo[3015636] -> netgr_matches @ ./match.c:645 Mar 30 16:21:55 sudo[3015636] -> sudo_getdomainname @ ./match.c:590 Mar 30 16:21:55 sudo[3015636] <- sudo_getdomainname @ ./match.c:622 := (null) Mar 30 16:21:55 sudo[3015636] netgroup hgrp_test matches (hiabld1|hiabld1, ,): false @ netgr_matches() ./match.c:671 Mar 30 16:21:55 sudo[3015636] <- netgr_matches @ ./match.c:674 := false Mar 30 16:21:55 sudo[3015636] <- host_matches @ ./match.c:360 := -1

>From the above I can see that sudo's netgr_matches() is trying to match host hiabld1 to netgroup hgrp_test but innetgr() returns false.

I'm far from an AIX expert but from what I've read it seems like AIX doesn't support netgroups natively unless you are using some flavor of NIS.  Based on:
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ibm.com%2Fdocs%2Fen%2Faix%2F7.1%3Ftopic%3Dfiles-usrlibsecuritymethodscfg-file&data=04%7C01%7CHilary.Palmer%40unitypoint.org%7Ce0652ea79c8e415cd91608da13284fb4%7Cab214bcd9b9741bbaa9d46cf10d822fd%7C0%7C0%7C637843361100444055%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=m4qp7IjVWsJBOYYQcpjh9q6b7mGJcoEMXirNrUlx%2FSE%3D&reserved=0
it looks like to enable LDAP netgroups you would need to add:

    options = netgroup

to the LDAP section in /usr/lib/security/methods.cfg and _also_ set the registry and SYSTEM values in /etc/security/user to "compat"
instead of LDAP.

Unfortunately, I don't know of a good way to look up netgroups from the shell, short of writing a small C program to call innetgr() directly.

While sudo can query the LDAP nisNetgroup object directly by setting NETGROUP_BASE in ldap.conf this is currently only used to determine what netgroups a user is a member of.  It is not used for host-based netgroups at all--the system's native netgroup support is used for that.

 - todd
This message and accompanying documents are covered by the Electronic Communications Privacy Act, 18 U.S.C. sections 2510-2521, and contain information intended for the specified individual(s) only. This information is confidential. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, copying, or the taking of any action based on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message.