[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ubuntu sudoers won't talk to LDAP



>My guess would be that it is a different version of sudo.  Have you read the manual page for it?

>--Quanah


Yes I have, although thank you for the suggestion.


>I have 10.10 on my laptop and there is a separate ldap version of sudo: sudo-
>ldap.

>http://packages.ubuntu.com/karmic/sudo-ldap


As the user acccount I attempt to sudo bash:

bluethundr@ubuntu3:~$ sudo bash


And I get this response:

sudo: no valid sudoers sources found, quitting

I change to root:


bluethundr@ubuntu3:~$ su - root
Password:

have a lookat /etc/sudoers:

root@ubuntu3:~# cat /etc/sudoers
##This file is intentionally left empty

And check the setting in nsswitch:

root@ubuntu3:~# cat /etc/nsswitch.conf | grep sudoers:
sudoers:        ldap

I check /etc/ldap/ldap.conf:

root@ubuntu3:~# cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.
uri	ldap://ldap.example.net
base dc=example,dc=net
sudoers_base ou=sudoers,ou=Services,dc=example,dc=net
TLS_CACERT /certs/ldapscert.pem

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never

I check that /etc/ldap.conf has an entry for sudoers:

root@ubuntu3:~# cat /etc/ldap.conf | grep sudo
sudoers_base ou=sudoers,ou=Services,dc=acadaca,dc=net


I make sure that sudo-ldap is installed:

root@ubuntu3:~# aptitude search sudo-ldap
i   sudo-ldap                       - Provide limited super user privileges to s

And correctly linked:

root@ubuntu3:~# ldd $(which sudo)
	linux-gate.so.1 =>  (0x0011a000)
	libpam.so.0 => /lib/libpam.so.0 (0x00940000)
	libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x00c8e000)
	libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0x008a2000)
	libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x009ed000)
	liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x0069d000)
	/lib/ld-linux.so.2 (0x0018b000)
	libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0x0090c000)
	libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00991000)
	libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x001a8000)
	libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0x008ed000)
	libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0x0084c000)
	libz.so.1 => /lib/libz.so.1 (0x00fd6000)
	libgcrypt.so.11 => /lib/libgcrypt.so.11 (0x00250000)
	libgpg-error.so.0 => /lib/libgpg-error.so.0 (0x00110000)

In the right place for Ubuntu 9.10:

root@ubuntu3:~# which sudo
/usr/bin/sudo
root@ubuntu3:~# sudo -v
sudo: no valid sudoers sources found, quitting

And have a look at my sudo version and environment:

root@ubuntu3:~# sudo -V
Sudo version 1.7.0

Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Require fully-qualified hostnames in the sudoers file
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 15 minutes
Password prompt timeout: 0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/run/sudo
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Value to override user's $PATH with:
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
Path to the editor for use by visudo: /usr/bin/editor
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File containing dummy exec functions: /usr/lib/sudo/sudo_noexec.so
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
	TERM
	LINGUAS
	LC_*
	LANGUAGE
	LANG
	COLORTERM
Environment variables to remove:
	RUBYOPT
	RUBYLIB
	PYTHONINSPECT
	PYTHONPATH
	PYTHONHOME
	TMPPREFIX
	ZDOTDIR
	READNULLCMD
	NULLCMD
	FPATH
	PERL5DB
	PERL5OPT
	PERL5LIB
	PERLLIB
	PERLIO_DEBUG
	JAVA_TOOL_OPTIONS
	SHELLOPTS
	GLOBIGNORE
	PS4
	BASH_ENV
	ENV
	TERMCAP
	TERMPATH
	TERMINFO_DIRS
	TERMINFO
	_RLD*
	LD_*
	PATH_LOCALE
	NLSPATH
	HOSTALIASES
	RES_OPTIONS
	LOCALDOMAIN
	PS4
	SHELLOPTS
	CDPATH
	IFS
Environment variables to preserve:
	http_proxy
	XAUTHORIZATION
	XAUTHORITY
	TZ
	PS2
	PS1
	PATH
	MAIL
	LS_COLORS
	KRB5CCNAME
	HOSTNAME
	HOME
	DISPLAY
	COLORS
Locale to use while parsing sudoers: C
Local IP address and netmask pairs:
	10.0.2.15 / 255.255.255.0
	192.168.50.101 / 255.255.255.0
	fe80::a00:27ff:feae:c8ab / ffff:ffff:ffff:ffff::
	fe80::a00:27ff:fe2a:7d3c / ffff:ffff:ffff:ffff::

I also make sure that the box is talking to LDAP for passwd:

root@ubuntu3:~# getent passwd | grep bluethundr
bluethundr:secret:20000:20000:Timothy P. thatguy:/home/bluethundr:/bin/bash

for group:

root@ubuntu3:~# getent group | grep bluethundr
adm:x:4:bluethundr
dialout:x:20:bluethundr
cdrom:x:24:bluethundr
plugdev:x:46:bluethundr
lpadmin:x:104:bluethundr
admin:x:115:bluethundr
bluethundr:x:1000:
sambashare:x:120:bluethundr
ldapusers:*:10000:bluethundr,jeff,tony,nick
bluethundr:*:20000:bluethundr

And make sure that the user account is not a local account:

root@ubuntu3:~# grep bluethundr /etc/passwd
root@ubuntu3:~#


So given all that why on earth is this not working? I had sudoers
setup under CentOS in about 5 minutes. But Ubuntu 9.10 still has me
head-desking!! Thank you for you help here!!










On Fri, Nov 19, 2010 at 2:49 PM, Stef Coene <stef.coene@docum.org> wrote:
> On Friday 19 November 2010, bluethundr wrote:
>> Hello Ubuntu
>>
>> On our network we have our sudoers stored in LDAP. This works fine on
>> the CentOS 5.4 clients by placing into /etc/ldap.conf
>>
>>
>> sudoers_base ou=sudoers,ou=Services,dc=example,dc=net
>>
>>
>> and in /etc/nsswitch.conf we have the entry:
>>
>>
>> sudoers: ldap
>>
>>
>> (setting this setting to just 'ldap' instead of 'files ldap' does not
>> render the machine unbootable as happens if you set passwd and group
>> this way).
>>
>> However I am attempting to set this up on an Ubuntu 9.10 client and
>> getting no joy so far. I have the same settings in /etc/ldap.conf and
>> /etc/nsswitch.conf and cannot get sudoers to work.
> I have 10.10 on my laptop and there is a separate ldap version of sudo: sudo-
> ldap.
>
> http://packages.ubuntu.com/karmic/sudo-ldap
>
>
> Stef
>



-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9

Share and enjoy!!