[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: sudoers: not able to execute commands with sudo

Thanks Buchan for your inputs.

I am using openldap-2.4.25 on RHEL5.4.
sudo -V as root
Sudo version 1.7.2p1
Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'

I could configure the sudoers and it is working now.
The change i did was i removed all the changes made to /etc/pam.d/login file and in /etc/nswitch.conf added the entry
sudoer : files ldap

Thanks for your suggestions.

Naga Chaitanya

From: Buchan Milne [bgmilne@staff.telkomsa.net]
Sent: Monday, August 29, 2011 8:14 PM
To: openldap-technical@openldap.org
Cc: Naga Chaitanya Palle
Subject: Re: sudoers: not able to execute commands with sudo

On Monday, 29 August 2011 14:07:39 Naga Chaitanya Palle wrote:
> Hi,
> I have configured sudoers in my environment.

You may want to provide more detail on the environment (OS/distro, which LDAP-
base naming service - e.g. nss_ldap, pam-nss-ldapd etc. you are using).

> But when I try to execute a
> command using sudo, the commands fails to get executed saying "sysadmin is
> not in the sudoers file.  This incident will be reported." .
> I am using sysadmin account as mentioned in the below sudoers ldif file.
> login as: sysadmin
> sysadmin@'s password:
> Last login: Mon Aug 29 14:58:50 2011 from
> Could not chdir to home directory /home/sysadmin: No such file or directory

Maybe you need to add pam_mkhomedir to /etc/pam.d/system-auth ?

> -bash-3.2$ sudo ls
> [sudo] password for sysadmin:
> sysadmin is not in the sudoers file.  This incident will be reported.
> -bash-3.2$ sudo -V
> Sudo version 1.7.2p1

It would be more instructive to run 'sudo -V' as root.

> -bash-3.2$ sudo -l
> [sudo] password for sysadmin:
> Sorry, user sysadmin may not run sudo on devonly144.
> -bash-3.2

Since some of your sudo rules are group-based, you may want to provide the
output of 'id' or 'groups' here.

> On Server the sudoers file is
> /etc/openldap/slapd.conf
> include         /usr/share/openldap2.4/schema/sudo.schema
> index       sudoUser        eq
> /etc/openldap/ldap.conf
> sudoers_base   ou=SUDOers,dc=comverse-in,dc=com

This is probably the wrong ldap.conf, this should probably be one of
/etc/ldap.conf, /etc/nss_ldap.conf, /etc/sudo-ldap.conf, depending on the

> sudoers.ldif
> # SUDOers, comverse-in.com
> dn: ou=SUDOers,dc=comverse-in,dc=com
> objectClass: top
> objectClass: organizationalUnit
> ou: SUDOers
> dn: cn=defaults,ou=SUDOers,dc=comverse-in,dc=com
> objectClass: top
> objectClass: sudoRole
> cn: defaults
> description: Default sudoOption's go here
> sudoOption: syslog=auth
> dn: cn=root,ou=SUDOers,dc=comverse-in,dc=com
> objectClass: top
> objectClass: sudoRole
> cn: root
> sudoUser: root
> sudoUser: sysadmin
> sudoHost: ALL
> sudoRunAsUser: ALL
> sudoCommand: ALL
> dn: cn=%wheel,ou=SUDOers,dc=comverse-in,dc=com
> objectClass: top
> objectClass: sudoRole
> cn: %wheel
> sudoUser: %wheel
> sudoHost: ALL
> sudoRunAsUser: ALL
> sudoCommand: ALL
> dn: cn=operator,ou=SUDOers,dc=comverse-in,dc=com
> objectClass: top
> objectClass: sudoRole
> cn: operator
> sudoUser: operator
> sudoHost: ALL
> sudoCommand: /usr/sbin/dump
> sudoCommand: /usr/sbin/rdump
> sudoCommand: /usr/sbin/restore
> sudoCommand: /usr/sbin/rrestore
> sudoCommand: /usr/bin/mt
> sudoCommand: /usr/bin/kill
> sudoCommand: /usr/sbin/shutdown
> sudoCommand: /usr/sbin/halt
> sudoCommand: /usr/sbin/reboot
> sudoCommand: /usr/sbin/lpc
> sudoCommand: /usr/bin/lprm
> sudoCommand: sudoedit /etc/printcap
> sudoCommand: /usr/oper/bin/
> dn: cn=ALL,ou=SUDOers,dc=comverse-in,dc=com
> objectClass: top
> objectClass: sudoRole
> cn: ALL
> sudoUser: ALL
> sudoHost: orion
> sudoCommand: /sbin/umount /CDROM
> sudoCommand: /sbin/mount -o nosuid\
> sudoCommand: nodev /dev/cd0a /CDROM
> sudoOption: !authenticate
> On client:
> /etc/ldap.conf
> sudoers_base   ou=SUDOers,dc=comverse-in,dc=com
> nss_base_passwd  ou=People,dc=comverse-in,dc=com?one
> nss_base_shadow  ou=People,dc=comverse-in,dc=com?one
> nss_base_group  ou=Group,dc=comverse-in,dc=com?one

Please check that this is the correct configuration file, according to 'sudo -
V' output as root.

> /etc/pam.d/login
> #%PAM-1.0
> auth [user_unknown=ignore success=ok ignore=ignore default=bad]
> pam_securetty.so auth       include      system-auth
> auth       required     pam_securetty.so
> auth   sufficient   pam_ldap.so
> auth   required   pam_stack.so service=system-auth
> auth   required   pam_nologin.so
> account    required     pam_nologin.so
> account    include      system-auth
> account  sufficient   pam_ldap.so
> account  required   pam_stack.so service=system-auth
> password   include      system-auth
> password  sufficient   pam_ldap.so
> password  required   pam_stack.so service=system-auth
> # pam_selinux.so close should be the first session rule
> session    required     pam_selinux.so close
> session    include      system-auth
> session    required     pam_loginuid.so
> session    optional     pam_console.so
> # pam_selinux.so open should only be followed by sessions to be executed in
> the user context session    required     pam_selinux.so open
> session    optional     pam_keyinit.so force revoke
> session  sufficient   pam_ldap.so
> session  required  pam_stack.so service=system-auth
> session  optional  pam_console.so
> session  required  /lib/security/pam_limits.so

In most environments it is preferable to configure LDAP authentication in a
single service file that is referenced by the others, in this case
/etc/pam.d/system-auth, rather than the individual service files.

> /etc/nsswitch.conf
> passwd:     ldap files
> shadow:     ldap files
> group:      ldap files

In 1.7.x you may need to add:

sudoers: files ldap

or similar to /etc/nsswitch.conf (depending on the sudo build-time
configuration, which you can see with 'sudo -V' as root).


Please refer to http://www.aricent.com/legal/email_disclaimer.html
for important disclosures regarding this electronic communication.