FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 11-19-2010, 06:23 PM
bluethundr
 
Default ubuntu sudoers won't talk to LDAP

Hello Ubuntu

On our network we have our sudoers stored in LDAP. This works fine on
the CentOS 5.4 clients by placing into /etc/ldap.conf


sudoers_base ou=sudoers,ou=Services,dc=example,dc=net


and in /etc/nsswitch.conf we have the entry:


sudoers: ldap


(setting this setting to just 'ldap' instead of 'files ldap' does not
render the machine unbootable as happens if you set passwd and group
this way).

However I am attempting to set this up on an Ubuntu 9.10 client and
getting no joy so far. I have the same settings in /etc/ldap.conf and
/etc/nsswitch.conf and cannot get sudoers to work.

On the Ubuntu box, I can get LDAP entries by typing in getent passwd |
grep ldapAccount, however when you attempt to sudo it fails:


bluethundr@ubuntu3:~$ sudo bash
>>> /etc/sudoers: syntax error near line 0 <<<
sudo: parse error in /etc/sudoers near line 0
sudo: no valid sudoers sources found, quitting


We leave our sudoers file blank intentionally in order to manage this
via LDAP. Again, this problem is ONLY happening under Ubuntu and not
under Centos 5.4.

The only real difference that I see between the two clients is the
sudo version. Could it be that under ubuntu LDAP sudo support isn't
compiled in? if so how to recompile it so that it does?

CentOS 5.4 sudo version:

[root@ldap2 ~]# sudo -V
Sudo version 1.7.2p1


Ubuntu 9.10 sudo version:


root@ubuntu3:~# sudo -V
Sudo version 1.7.0




[root@ldap2 ~]# sudo -V
Sudo version 1.7.2p1


And here are the linkages:

CentOS 5.4:


[root@ldap2 ~]# ldd $(which sudo)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00002aaaaacc8000)
libcap.so.1 => /lib64/libcap.so.1 (0x00002aaaaaee0000)
libpam.so.0 => /lib64/libpam.so.0 (0x00002aaaab0e4000)
libdl.so.2 => /lib64/libdl.so.2 (0x00002aaaab2f0000)
libldap-2.3.so.0 => /usr/lib64/libldap-2.3.so.0 (0x00002aaaab4f4000)
libc.so.6 => /lib64/libc.so.6 (0x00002aaaab72e000)
libaudit.so.0 => /lib64/libaudit.so.0 (0x00002aaaaba86000)
liblber-2.3.so.0 => /usr/lib64/liblber-2.3.so.0 (0x00002aaaabc9e000)
libsepol.so.1 => /lib64/libsepol.so.1 (0x00002aaaabeac000)
/lib64/ld-linux-x86-64.so.2 (0x00002aaaaaaab000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00002aaaac0f3000)
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00002aaaac308000)
libssl.so.6 => /lib64/libssl.so.6 (0x00002aaaac521000)
libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002aaaac76e000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002aaaacabf000)
libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002aaaaccf7000)
libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002aaaacf26000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002aaaad1bb000)
libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002aaaad3bd000)
libz.so.1 => /usr/lib64/libz.so.1 (0x00002aaaad5e3000)
libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002aaaad7f7000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002aaaad9ff000)



Ubuntu 9.10

bluethundr@ubuntu3:~$ ldd $(which sudo)
linux-gate.so.1 => (0x00914000)
libpam.so.0 => /lib/libpam.so.0 (0x00753000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x00223000)
libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0x00fa1000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x004f1000)
liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x00f35000)
/lib/ld-linux.so.2 (0x00d75000)
libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0x00345000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x008d0000)
libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00b77000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0x002e3000)
libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0x001df000)
libz.so.1 => /lib/libz.so.1 (0x007d6000)
libgcrypt.so.11 => /lib/libgcrypt.so.11 (0x003f3000)
libgpg-error.so.0 => /lib/libgpg-error.so.0 (0x00110000)



Thanks for any input you may have!
--
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9

Share and enjoy!!
[root@ldap2 ~]# sudo -V
Sudo version 1.7.2p1

Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5 minutes
Password prompt timeout: 5 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/run/sudo
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Path to the editor for use by visudo: /bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File containing dummy exec functions: /usr/libexec/sudo_noexec.so
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
TERM
LINGUAS
LC_*
LANGUAGE
LANG
COLORTERM
Environment variables to remove:
RUBYOPT
RUBYLIB
PYTHONINSPECT
PYTHONPATH
PYTHONHOME
TMPPREFIX
ZDOTDIR
READNULLCMD
NULLCMD
FPATH
PERL5DB
PERL5OPT
PERL5LIB
PERLLIB
PERLIO_DEBUG
JAVA_TOOL_OPTIONS
SHELLOPTS
GLOBIGNORE
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
CDPATH
IFS
Environment variables to preserve:
XAUTHORIZATION
XAUTHORITY
TZ
PS2
PS1
PATH
MAIL
LS_COLORS
KRB5CCNAME
HOSTNAME
HOME
DISPLAY
COLORS
Locale to use while parsing sudoers: C
Local IP address and netmask pairs:
10.196.103.223 / 255.255.254.0

root@ubuntu3:~# sudo -V
Sudo version 1.7.0

Sudoers path: /etc/sudoers
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Require fully-qualified hostnames in the sudoers file
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 15 minutes
Password prompt timeout: 0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/run/sudo
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Value to override user's $PATH with: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
Path to the editor for use by visudo: /usr/bin/editor
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File containing dummy exec functions: /usr/lib/sudo/sudo_noexec.so
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
TERM
LINGUAS
LC_*
LANGUAGE
LANG
COLORTERM
Environment variables to remove:
RUBYOPT
RUBYLIB
PYTHONINSPECT
PYTHONPATH
PYTHONHOME
TMPPREFIX
ZDOTDIR
READNULLCMD
NULLCMD
FPATH
PERL5DB
PERL5OPT
PERL5LIB
PERLLIB
PERLIO_DEBUG
JAVA_TOOL_OPTIONS
SHELLOPTS
GLOBIGNORE
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
PS4
SHELLOPTS
CDPATH
IFS
Environment variables to preserve:
http_proxy
XAUTHORIZATION
XAUTHORITY
TZ
PS2
PS1
PATH
MAIL
LS_COLORS
KRB5CCNAME
HOSTNAME
HOME
DISPLAY
COLORS
Locale to use while parsing sudoers: C
Local IP address and netmask pairs:
10.0.2.15 / 255.255.255.0
192.168.50.101 / 255.255.255.0
fe80::a00:27ff:feae:c8ab / ffff:ffff:ffff:ffff::
fe80::a00:27ff:fe2a:7d3c / ffff:ffff:ffff:ffff::

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-22-2010, 05:08 AM
Tom H
 
Default ubuntu sudoers won't talk to LDAP

On Fri, Nov 19, 2010 at 2:23 PM, bluethundr <bluethundr@gmail.com> wrote:
>
> On our network we have our sudoers stored in LDAP. This works fine on
> the CentOS 5.4 clients by placing into /etc/ldap.conf
> sudoers_base ou=sudoers,ou=Services,dc=example,dc=net
>
> and in /etc/nsswitch.conf we have the entry:
> sudoers: ldap
>
> However I am attempting to set this up on an Ubuntu 9.10 client and
> getting no joy so far. I have the same settings in /etc/ldap.conf and
> /etc/nsswitch.conf and cannot get sudoers to work.
>
> On the Ubuntu box, I can get LDAP entries by typing in getent passwd |
> grep ldapAccount, however when you attempt to sudo it fails:
>
> bluethundr@ubuntu3:~$ sudo bash
>>>> /etc/sudoers: syntax error near line 0 <<<
> sudo: parse error in /etc/sudoers near line 0
> sudo: no valid sudoers sources found, quitting
>
> We leave our sudoers file blank intentionally in order to manage this
> via LDAP. Again, this problem is ONLY happening under Ubuntu and not
> under Centos 5.4.
>
> The only real difference that I see between the two clients is the
> sudo version. Could it be that under ubuntu LDAP sudo support isn't
> compiled in? if so how to recompile it so that it does?
>
> CentOS 5.4 sudo version:
> [root@ldap2 ~]# sudo -V
> Sudo version 1.7.2p1
>
> Ubuntu 9.10 sudo version:
> root@ubuntu3:~# sudo -V
> Sudo version 1.7.0
>
> And here are the linkages:
>
> CentOS 5.4:
> [root@ldap2 ~]# ldd $(which sudo)
> * * * *libselinux.so.1 => /lib64/libselinux.so.1 (0x00002aaaaacc8000)
> * * * *libcap.so.1 => /lib64/libcap.so.1 (0x00002aaaaaee0000)
> * * * *libpam.so.0 => /lib64/libpam.so.0 (0x00002aaaab0e4000)
> * * * *libdl.so.2 => /lib64/libdl.so.2 (0x00002aaaab2f0000)
> * * * *libldap-2.3.so.0 => /usr/lib64/libldap-2.3.so.0 (0x00002aaaab4f4000)
> * * * *libc.so.6 => /lib64/libc.so.6 (0x00002aaaab72e000)
> * * * *libaudit.so.0 => /lib64/libaudit.so.0 (0x00002aaaaba86000)
> * * * *liblber-2.3.so.0 => /usr/lib64/liblber-2.3.so.0 (0x00002aaaabc9e000)
> * * * *libsepol.so.1 => /lib64/libsepol.so.1 (0x00002aaaabeac000)
> * * * */lib64/ld-linux-x86-64.so.2 (0x00002aaaaaaab000)
> * * * *libresolv.so.2 => /lib64/libresolv.so.2 (0x00002aaaac0f3000)
> * * * *libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00002aaaac308000)
> * * * *libssl.so.6 => /lib64/libssl.so.6 (0x00002aaaac521000)
> * * * *libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002aaaac76e000)
> * * * *libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002aaaacabf000)
> * * * *libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002aaaaccf7000)
> * * * *libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002aaaacf26000)
> * * * *libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002aaaad1bb000)
> * * * *libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002aaaad3bd000)
> * * * *libz.so.1 => /usr/lib64/libz.so.1 (0x00002aaaad5e3000)
> * * * *libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002aaaad7f7000)
> * * * *libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002aaaad9ff000)
>
> Ubuntu 9.10
> bluethundr@ubuntu3:~$ ldd $(which sudo)
> * * * *linux-gate.so.1 => *(0x00914000)
> * * * *libpam.so.0 => /lib/libpam.so.0 (0x00753000)
> * * * *libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x00223000)
> * * * *libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0x00fa1000)
> * * * *libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x004f1000)
> * * * *liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x00f35000)
> * * * */lib/ld-linux.so.2 (0x00d75000)
> * * * *libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0x00345000)
> * * * *libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x008d0000)
> * * * *libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00b77000)
> * * * *libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0x002e3000)
> * * * *libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0x001df000)
> * * * *libz.so.1 => /lib/libz.so.1 (0x007d6000)
> * * * *libgcrypt.so.11 => /lib/libgcrypt.so.11 (0x003f3000)
> * * * *libgpg-error.so.0 => /lib/libgpg-error.so.0 (0x00110000)

Ubuntu's sudo's linked to libldap so I'd assume that it's ldap-"compatible".

You might get more info by adding "sudoers_debug 2" to
"/etc/ldap.conf" and trying "sudo ..." again.

Does "/etc/pam.d/sudo" exist?

You could upgrade sudo to 1.7.2 on ubuntu3. Both Lucid and Maverick have it.

You could install sudo-ldap. I was under the impression that it didn't
use pam but "aptitude show sudo-ldap" says that it does use it.
"aptitude show sudo-ldap" also says that it conflicts with sudo so it
may be that sudo-ldap is compiled with ldap support and that sudo
isn't (in spite of the ldd output above).

Out of curiosity (trying to figure out whether sudo has ldap support
and whether it differs from sudo-ldap in some other way), what's the
output of "sudo -l"?

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 10:24 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org