[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ubuntu sudoers won't talk to LDAP
- To: openldap-technical@openldap.org
- Subject: ubuntu sudoers won't talk to LDAP
- From: bluethundr <bluethundr@gmail.com>
- Date: Fri, 19 Nov 2010 14:23:49 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=RYbpxURb5HmWQhqWqIFUZSbtLlGz7ocuDE8T9TetbSw=; b=GjkBDxK788y03K1aLbMx95+HK6fO1RtSdtGY4C6F/hr+UpJPrrGf65FqtlmUzaQG22 sxdyTI1YS7xXCF8ovH93IgqPV6gv90M86vubMCIh3Udf08kvSxiLcWLXWY4+8UYEVgGc dhZrFONtOWINzZybTFpLsahmGfZb+ABYakKDY=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=jZdekEP+DcaJdQ7aZ4sC9elQArhW/Nlytn3u2VO12ZjW23ZCisgK2KwksXTCoNcpEy 8c/peFKpTrQH9IbqhBDvJyTHa08PXrqPQIhj70wd8idYnw+7a1prNPJ7p2WhZBRpllot XR0+4QEG/WsCakaGooaVY48/RMLBzigdqy87o=
Hello Ubuntu
On our network we have our sudoers stored in LDAP. This works fine on
the CentOS 5.4 clients by placing into /etc/ldap.conf
sudoers_base ou=sudoers,ou=Services,dc=example,dc=net
and in /etc/nsswitch.conf we have the entry:
sudoers: ldap
(setting this setting to just 'ldap' instead of 'files ldap' does not
render the machine unbootable as happens if you set passwd and group
this way).
However I am attempting to set this up on an Ubuntu 9.10 client and
getting no joy so far. I have the same settings in /etc/ldap.conf and
/etc/nsswitch.conf and cannot get sudoers to work.
On the Ubuntu box, I can get LDAP entries by typing in getent passwd |
grep ldapAccount, however when you attempt to sudo it fails:
bluethundr@ubuntu3:~$ sudo bash
>>> /etc/sudoers: syntax error near line 0 <<<
sudo: parse error in /etc/sudoers near line 0
sudo: no valid sudoers sources found, quitting
We leave our sudoers file blank intentionally in order to manage this
via LDAP. Again, this problem is ONLY happening under Ubuntu and not
under Centos 5.4.
The only real difference that I see between the two clients is the
sudo version. Could it be that under ubuntu LDAP sudo support isn't
compiled in? if so how to recompile it so that it does?
CentOS 5.4 sudo version:
[root@ldap2 ~]# sudo -V
Sudo version 1.7.2p1
Ubuntu 9.10 sudo version:
root@ubuntu3:~# sudo -V
Sudo version 1.7.0
[root@ldap2 ~]# sudo -V
Sudo version 1.7.2p1
And here are the linkages:
CentOS 5.4:
[root@ldap2 ~]# ldd $(which sudo)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00002aaaaacc8000)
libcap.so.1 => /lib64/libcap.so.1 (0x00002aaaaaee0000)
libpam.so.0 => /lib64/libpam.so.0 (0x00002aaaab0e4000)
libdl.so.2 => /lib64/libdl.so.2 (0x00002aaaab2f0000)
libldap-2.3.so.0 => /usr/lib64/libldap-2.3.so.0 (0x00002aaaab4f4000)
libc.so.6 => /lib64/libc.so.6 (0x00002aaaab72e000)
libaudit.so.0 => /lib64/libaudit.so.0 (0x00002aaaaba86000)
liblber-2.3.so.0 => /usr/lib64/liblber-2.3.so.0 (0x00002aaaabc9e000)
libsepol.so.1 => /lib64/libsepol.so.1 (0x00002aaaabeac000)
/lib64/ld-linux-x86-64.so.2 (0x00002aaaaaaab000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00002aaaac0f3000)
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00002aaaac308000)
libssl.so.6 => /lib64/libssl.so.6 (0x00002aaaac521000)
libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002aaaac76e000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002aaaacabf000)
libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002aaaaccf7000)
libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002aaaacf26000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002aaaad1bb000)
libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002aaaad3bd000)
libz.so.1 => /usr/lib64/libz.so.1 (0x00002aaaad5e3000)
libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002aaaad7f7000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002aaaad9ff000)
Ubuntu 9.10
bluethundr@ubuntu3:~$ ldd $(which sudo)
linux-gate.so.1 => (0x00914000)
libpam.so.0 => /lib/libpam.so.0 (0x00753000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x00223000)
libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0x00fa1000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x004f1000)
liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x00f35000)
/lib/ld-linux.so.2 (0x00d75000)
libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0x00345000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x008d0000)
libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00b77000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0x002e3000)
libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0x001df000)
libz.so.1 => /lib/libz.so.1 (0x007d6000)
libgcrypt.so.11 => /lib/libgcrypt.so.11 (0x003f3000)
libgpg-error.so.0 => /lib/libgpg-error.so.0 (0x00110000)
Thanks for any input you may have!
--
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9
Share and enjoy!!
[root@ldap2 ~]# sudo -V
Sudo version 1.7.2p1
Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5 minutes
Password prompt timeout: 5 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/run/sudo
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Path to the editor for use by visudo: /bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File containing dummy exec functions: /usr/libexec/sudo_noexec.so
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
TERM
LINGUAS
LC_*
LANGUAGE
LANG
COLORTERM
Environment variables to remove:
RUBYOPT
RUBYLIB
PYTHONINSPECT
PYTHONPATH
PYTHONHOME
TMPPREFIX
ZDOTDIR
READNULLCMD
NULLCMD
FPATH
PERL5DB
PERL5OPT
PERL5LIB
PERLLIB
PERLIO_DEBUG
JAVA_TOOL_OPTIONS
SHELLOPTS
GLOBIGNORE
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
CDPATH
IFS
Environment variables to preserve:
XAUTHORIZATION
XAUTHORITY
TZ
PS2
PS1
PATH
MAIL
LS_COLORS
KRB5CCNAME
HOSTNAME
HOME
DISPLAY
COLORS
Locale to use while parsing sudoers: C
Local IP address and netmask pairs:
10.196.103.223 / 255.255.254.0
root@ubuntu3:~# sudo -V
Sudo version 1.7.0
Sudoers path: /etc/sudoers
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Require fully-qualified hostnames in the sudoers file
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 15 minutes
Password prompt timeout: 0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/run/sudo
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Value to override user's $PATH with: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
Path to the editor for use by visudo: /usr/bin/editor
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File containing dummy exec functions: /usr/lib/sudo/sudo_noexec.so
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
TERM
LINGUAS
LC_*
LANGUAGE
LANG
COLORTERM
Environment variables to remove:
RUBYOPT
RUBYLIB
PYTHONINSPECT
PYTHONPATH
PYTHONHOME
TMPPREFIX
ZDOTDIR
READNULLCMD
NULLCMD
FPATH
PERL5DB
PERL5OPT
PERL5LIB
PERLLIB
PERLIO_DEBUG
JAVA_TOOL_OPTIONS
SHELLOPTS
GLOBIGNORE
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
PS4
SHELLOPTS
CDPATH
IFS
Environment variables to preserve:
http_proxy
XAUTHORIZATION
XAUTHORITY
TZ
PS2
PS1
PATH
MAIL
LS_COLORS
KRB5CCNAME
HOSTNAME
HOME
DISPLAY
COLORS
Locale to use while parsing sudoers: C
Local IP address and netmask pairs:
10.0.2.15 / 255.255.255.0
192.168.50.101 / 255.255.255.0
fe80::a00:27ff:feae:c8ab / ffff:ffff:ffff:ffff::
fe80::a00:27ff:fe2a:7d3c / ffff:ffff:ffff:ffff::