[Date Prev][Date Next] [Chronological] [Thread] [Top]

ubuntu sudoers won't talk to LDAP



Hello Ubuntu

On our network we have our sudoers stored in LDAP. This works fine on
the CentOS 5.4 clients by placing into /etc/ldap.conf


sudoers_base ou=sudoers,ou=Services,dc=example,dc=net


and in /etc/nsswitch.conf we have the entry:


sudoers: ldap


(setting this setting to just 'ldap' instead of 'files ldap' does not
render the machine unbootable as happens if you set passwd and group
this way).

However I am attempting to set this up on an Ubuntu 9.10 client and
getting no joy so far. I have the same settings in /etc/ldap.conf and
/etc/nsswitch.conf and cannot get sudoers to work.

On the Ubuntu box, I can get LDAP entries by typing in getent passwd |
grep ldapAccount, however when you attempt to sudo it fails:


bluethundr@ubuntu3:~$ sudo bash
>>> /etc/sudoers: syntax error near line 0 <<<
sudo: parse error in /etc/sudoers near line 0
sudo: no valid sudoers sources found, quitting


We leave our sudoers file blank intentionally in order to manage this
via LDAP. Again, this problem is ONLY happening under Ubuntu and not
under Centos 5.4.

The only real difference that I see between the two clients is the
sudo version. Could it be that under ubuntu LDAP sudo support isn't
compiled in? if so how to recompile it so that it does?

CentOS 5.4 sudo version:

[root@ldap2 ~]# sudo -V
Sudo version 1.7.2p1


Ubuntu 9.10 sudo version:


root@ubuntu3:~# sudo -V
Sudo version 1.7.0




[root@ldap2 ~]# sudo -V
Sudo version 1.7.2p1


And here are the linkages:

CentOS 5.4:


[root@ldap2 ~]# ldd $(which sudo)
	libselinux.so.1 => /lib64/libselinux.so.1 (0x00002aaaaacc8000)
	libcap.so.1 => /lib64/libcap.so.1 (0x00002aaaaaee0000)
	libpam.so.0 => /lib64/libpam.so.0 (0x00002aaaab0e4000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00002aaaab2f0000)
	libldap-2.3.so.0 => /usr/lib64/libldap-2.3.so.0 (0x00002aaaab4f4000)
	libc.so.6 => /lib64/libc.so.6 (0x00002aaaab72e000)
	libaudit.so.0 => /lib64/libaudit.so.0 (0x00002aaaaba86000)
	liblber-2.3.so.0 => /usr/lib64/liblber-2.3.so.0 (0x00002aaaabc9e000)
	libsepol.so.1 => /lib64/libsepol.so.1 (0x00002aaaabeac000)
	/lib64/ld-linux-x86-64.so.2 (0x00002aaaaaaab000)
	libresolv.so.2 => /lib64/libresolv.so.2 (0x00002aaaac0f3000)
	libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00002aaaac308000)
	libssl.so.6 => /lib64/libssl.so.6 (0x00002aaaac521000)
	libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002aaaac76e000)
	libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002aaaacabf000)
	libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002aaaaccf7000)
	libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002aaaacf26000)
	libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002aaaad1bb000)
	libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002aaaad3bd000)
	libz.so.1 => /usr/lib64/libz.so.1 (0x00002aaaad5e3000)
	libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002aaaad7f7000)
	libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002aaaad9ff000)



Ubuntu 9.10

bluethundr@ubuntu3:~$ ldd $(which sudo)
	linux-gate.so.1 =>  (0x00914000)
	libpam.so.0 => /lib/libpam.so.0 (0x00753000)
	libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x00223000)
	libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0x00fa1000)
	libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x004f1000)
	liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x00f35000)
	/lib/ld-linux.so.2 (0x00d75000)
	libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0x00345000)
	libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x008d0000)
	libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00b77000)
	libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0x002e3000)
	libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0x001df000)
	libz.so.1 => /lib/libz.so.1 (0x007d6000)
	libgcrypt.so.11 => /lib/libgcrypt.so.11 (0x003f3000)
	libgpg-error.so.0 => /lib/libgpg-error.so.0 (0x00110000)



Thanks for any input you may have!

-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9

Share and enjoy!!
[root@ldap2 ~]# sudo -V
Sudo version 1.7.2p1

Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5 minutes
Password prompt timeout: 5 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/run/sudo
Default password prompt: [sudo] password for %p: 
Default user to run commands as: root
Path to the editor for use by visudo: /bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File containing dummy exec functions: /usr/libexec/sudo_noexec.so
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
	TERM
	LINGUAS
	LC_*
	LANGUAGE
	LANG
	COLORTERM
Environment variables to remove:
	RUBYOPT
	RUBYLIB
	PYTHONINSPECT
	PYTHONPATH
	PYTHONHOME
	TMPPREFIX
	ZDOTDIR
	READNULLCMD
	NULLCMD
	FPATH
	PERL5DB
	PERL5OPT
	PERL5LIB
	PERLLIB
	PERLIO_DEBUG 
	JAVA_TOOL_OPTIONS
	SHELLOPTS
	GLOBIGNORE
	PS4
	BASH_ENV
	ENV
	TERMCAP
	TERMPATH
	TERMINFO_DIRS
	TERMINFO
	_RLD*
	LD_*
	PATH_LOCALE
	NLSPATH
	HOSTALIASES
	RES_OPTIONS
	LOCALDOMAIN
	CDPATH
	IFS
Environment variables to preserve:
	XAUTHORIZATION
	XAUTHORITY
	TZ
	PS2
	PS1
	PATH
	MAIL
	LS_COLORS
	KRB5CCNAME
	HOSTNAME
	HOME
	DISPLAY
	COLORS
Locale to use while parsing sudoers: C
Local IP address and netmask pairs:
	10.196.103.223 / 255.255.254.0

root@ubuntu3:~# sudo -V
Sudo version 1.7.0

Sudoers path: /etc/sudoers
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Require fully-qualified hostnames in the sudoers file
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 15 minutes
Password prompt timeout: 0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/run/sudo
Default password prompt: [sudo] password for %p: 
Default user to run commands as: root
Value to override user's $PATH with: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
Path to the editor for use by visudo: /usr/bin/editor
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File containing dummy exec functions: /usr/lib/sudo/sudo_noexec.so
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
	TERM
	LINGUAS
	LC_*
	LANGUAGE
	LANG
	COLORTERM
Environment variables to remove:
	RUBYOPT
	RUBYLIB
	PYTHONINSPECT
	PYTHONPATH
	PYTHONHOME
	TMPPREFIX
	ZDOTDIR
	READNULLCMD
	NULLCMD
	FPATH
	PERL5DB
	PERL5OPT
	PERL5LIB
	PERLLIB
	PERLIO_DEBUG 
	JAVA_TOOL_OPTIONS
	SHELLOPTS
	GLOBIGNORE
	PS4
	BASH_ENV
	ENV
	TERMCAP
	TERMPATH
	TERMINFO_DIRS
	TERMINFO
	_RLD*
	LD_*
	PATH_LOCALE
	NLSPATH
	HOSTALIASES
	RES_OPTIONS
	LOCALDOMAIN
	PS4
	SHELLOPTS
	CDPATH
	IFS
Environment variables to preserve:
	http_proxy
	XAUTHORIZATION
	XAUTHORITY
	TZ
	PS2
	PS1
	PATH
	MAIL
	LS_COLORS
	KRB5CCNAME
	HOSTNAME
	HOME
	DISPLAY
	COLORS
Locale to use while parsing sudoers: C
Local IP address and netmask pairs:
	10.0.2.15 / 255.255.255.0
	192.168.50.101 / 255.255.255.0
	fe80::a00:27ff:feae:c8ab / ffff:ffff:ffff:ffff::
	fe80::a00:27ff:fe2a:7d3c / ffff:ffff:ffff:ffff::