[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ubuntu sudoers won't talk to LDAP
- To: openldap-technical@openldap.org
- Subject: Re: ubuntu sudoers won't talk to LDAP
- From: bluethundr <bluethundr@gmail.com>
- Date: Fri, 19 Nov 2010 18:35:10 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=UO4qk2xmwMnEyCFyKMfojj+BGtHbSS/W2hCK8CsGvbI=; b=FGvUrMR4cYzUvNv98edhUy7NlIyRJI0KuoodoWt81S18rAtR6cD/rhv/OHzKkAvX2G xXss210w2H7pTLgCMey70h8UMvzIgLRT/5cfqehpRWkzc0+yhvQ/Dqj38DkCmBEidV0O k0BmK31CkpT/CAbjxqf+KKV19fcHl29zgAXns=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=jN23LuJAUDU+z/A32kRMVu1AViqXKM0rY6j2pzlNu8oEENlHVAo9SJaHKtdO4Lc1/+ obVWYvTd88I9NKP6nlpJHwy/2vAjCX5q8rAiyRR2JcxwcTEkfTLO/IS+OMWGpt5HfCjm NYooweSd0UfNz/u0w4vKp3MeJay+92T2QLXuk=
- In-reply-to: <201011192049.32097.stef.coene@docum.org>
- References: <AANLkTin+a3YmiOqCYzUDmPLpb2=vDpSNw4+pFMxk-DOL@mail.gmail.com> <201011192049.32097.stef.coene@docum.org>
>My guess would be that it is a different version of sudo. Have you read the manual page for it?
>--Quanah
Yes I have, although thank you for the suggestion.
>I have 10.10 on my laptop and there is a separate ldap version of sudo: sudo-
>ldap.
>http://packages.ubuntu.com/karmic/sudo-ldap
As the user acccount I attempt to sudo bash:
bluethundr@ubuntu3:~$ sudo bash
And I get this response:
sudo: no valid sudoers sources found, quitting
I change to root:
bluethundr@ubuntu3:~$ su - root
Password:
have a lookat /etc/sudoers:
root@ubuntu3:~# cat /etc/sudoers
##This file is intentionally left empty
And check the setting in nsswitch:
root@ubuntu3:~# cat /etc/nsswitch.conf | grep sudoers:
sudoers: ldap
I check /etc/ldap/ldap.conf:
root@ubuntu3:~# cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
uri ldap://ldap.example.net
base dc=example,dc=net
sudoers_base ou=sudoers,ou=Services,dc=example,dc=net
TLS_CACERT /certs/ldapscert.pem
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
I check that /etc/ldap.conf has an entry for sudoers:
root@ubuntu3:~# cat /etc/ldap.conf | grep sudo
sudoers_base ou=sudoers,ou=Services,dc=acadaca,dc=net
I make sure that sudo-ldap is installed:
root@ubuntu3:~# aptitude search sudo-ldap
i sudo-ldap - Provide limited super user privileges to s
And correctly linked:
root@ubuntu3:~# ldd $(which sudo)
linux-gate.so.1 => (0x0011a000)
libpam.so.0 => /lib/libpam.so.0 (0x00940000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x00c8e000)
libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0x008a2000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x009ed000)
liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x0069d000)
/lib/ld-linux.so.2 (0x0018b000)
libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0x0090c000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00991000)
libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x001a8000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0x008ed000)
libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0x0084c000)
libz.so.1 => /lib/libz.so.1 (0x00fd6000)
libgcrypt.so.11 => /lib/libgcrypt.so.11 (0x00250000)
libgpg-error.so.0 => /lib/libgpg-error.so.0 (0x00110000)
In the right place for Ubuntu 9.10:
root@ubuntu3:~# which sudo
/usr/bin/sudo
root@ubuntu3:~# sudo -v
sudo: no valid sudoers sources found, quitting
And have a look at my sudo version and environment:
root@ubuntu3:~# sudo -V
Sudo version 1.7.0
Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Require fully-qualified hostnames in the sudoers file
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 15 minutes
Password prompt timeout: 0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/run/sudo
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Value to override user's $PATH with:
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
Path to the editor for use by visudo: /usr/bin/editor
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File containing dummy exec functions: /usr/lib/sudo/sudo_noexec.so
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
TERM
LINGUAS
LC_*
LANGUAGE
LANG
COLORTERM
Environment variables to remove:
RUBYOPT
RUBYLIB
PYTHONINSPECT
PYTHONPATH
PYTHONHOME
TMPPREFIX
ZDOTDIR
READNULLCMD
NULLCMD
FPATH
PERL5DB
PERL5OPT
PERL5LIB
PERLLIB
PERLIO_DEBUG
JAVA_TOOL_OPTIONS
SHELLOPTS
GLOBIGNORE
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
PS4
SHELLOPTS
CDPATH
IFS
Environment variables to preserve:
http_proxy
XAUTHORIZATION
XAUTHORITY
TZ
PS2
PS1
PATH
MAIL
LS_COLORS
KRB5CCNAME
HOSTNAME
HOME
DISPLAY
COLORS
Locale to use while parsing sudoers: C
Local IP address and netmask pairs:
10.0.2.15 / 255.255.255.0
192.168.50.101 / 255.255.255.0
fe80::a00:27ff:feae:c8ab / ffff:ffff:ffff:ffff::
fe80::a00:27ff:fe2a:7d3c / ffff:ffff:ffff:ffff::
I also make sure that the box is talking to LDAP for passwd:
root@ubuntu3:~# getent passwd | grep bluethundr
bluethundr:secret:20000:20000:Timothy P. thatguy:/home/bluethundr:/bin/bash
for group:
root@ubuntu3:~# getent group | grep bluethundr
adm:x:4:bluethundr
dialout:x:20:bluethundr
cdrom:x:24:bluethundr
plugdev:x:46:bluethundr
lpadmin:x:104:bluethundr
admin:x:115:bluethundr
bluethundr:x:1000:
sambashare:x:120:bluethundr
ldapusers:*:10000:bluethundr,jeff,tony,nick
bluethundr:*:20000:bluethundr
And make sure that the user account is not a local account:
root@ubuntu3:~# grep bluethundr /etc/passwd
root@ubuntu3:~#
So given all that why on earth is this not working? I had sudoers
setup under CentOS in about 5 minutes. But Ubuntu 9.10 still has me
head-desking!! Thank you for you help here!!
On Fri, Nov 19, 2010 at 2:49 PM, Stef Coene <stef.coene@docum.org> wrote:
> On Friday 19 November 2010, bluethundr wrote:
>> Hello Ubuntu
>>
>> On our network we have our sudoers stored in LDAP. This works fine on
>> the CentOS 5.4 clients by placing into /etc/ldap.conf
>>
>>
>> sudoers_base ou=sudoers,ou=Services,dc=example,dc=net
>>
>>
>> and in /etc/nsswitch.conf we have the entry:
>>
>>
>> sudoers: ldap
>>
>>
>> (setting this setting to just 'ldap' instead of 'files ldap' does not
>> render the machine unbootable as happens if you set passwd and group
>> this way).
>>
>> However I am attempting to set this up on an Ubuntu 9.10 client and
>> getting no joy so far. I have the same settings in /etc/ldap.conf and
>> /etc/nsswitch.conf and cannot get sudoers to work.
> I have 10.10 on my laptop and there is a separate ldap version of sudo: sudo-
> ldap.
>
> http://packages.ubuntu.com/karmic/sudo-ldap
>
>
> Stef
>
--
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9
Share and enjoy!!