[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: sudoers: not able to execute commands with sudo
Thanks Buchan for your inputs.
I am using openldap-2.4.25 on RHEL5.4.
sudo -V as root
Sudo version 1.7.2p1
Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
I could configure the sudoers and it is working now.
The change i did was i removed all the changes made to /etc/pam.d/login file and in /etc/nswitch.conf added the entry
sudoer : files ldap
Thanks for your suggestions.
Regards,
Naga Chaitanya
________________________________________
From: Buchan Milne [bgmilne@staff.telkomsa.net]
Sent: Monday, August 29, 2011 8:14 PM
To: openldap-technical@openldap.org
Cc: Naga Chaitanya Palle
Subject: Re: sudoers: not able to execute commands with sudo
On Monday, 29 August 2011 14:07:39 Naga Chaitanya Palle wrote:
> Hi,
>
> I have configured sudoers in my environment.
You may want to provide more detail on the environment (OS/distro, which LDAP-
base naming service - e.g. nss_ldap, pam-nss-ldapd etc. you are using).
> But when I try to execute a
> command using sudo, the commands fails to get executed saying "sysadmin is
> not in the sudoers file. This incident will be reported." .
> I am using sysadmin account as mentioned in the below sudoers ldif file.
>
> login as: sysadmin
> sysadmin@10.150.14.144's password:
> Last login: Mon Aug 29 14:58:50 2011 from 10.150.10.158
>
> Could not chdir to home directory /home/sysadmin: No such file or directory
Maybe you need to add pam_mkhomedir to /etc/pam.d/system-auth ?
> -bash-3.2$ sudo ls
> [sudo] password for sysadmin:
> sysadmin is not in the sudoers file. This incident will be reported.
> -bash-3.2$ sudo -V
> Sudo version 1.7.2p1
It would be more instructive to run 'sudo -V' as root.
> -bash-3.2$ sudo -l
> [sudo] password for sysadmin:
> Sorry, user sysadmin may not run sudo on devonly144.
> -bash-3.2
>
Since some of your sudo rules are group-based, you may want to provide the
output of 'id' or 'groups' here.
> On Server the sudoers file is
> /etc/openldap/slapd.conf
> include /usr/share/openldap2.4/schema/sudo.schema
> index sudoUser eq
>
> /etc/openldap/ldap.conf
> sudoers_base ou=SUDOers,dc=comverse-in,dc=com
This is probably the wrong ldap.conf, this should probably be one of
/etc/ldap.conf, /etc/nss_ldap.conf, /etc/sudo-ldap.conf, depending on the
distribution.
> sudoers.ldif
> # SUDOers, comverse-in.com
> dn: ou=SUDOers,dc=comverse-in,dc=com
> objectClass: top
> objectClass: organizationalUnit
> ou: SUDOers
>
> dn: cn=defaults,ou=SUDOers,dc=comverse-in,dc=com
> objectClass: top
> objectClass: sudoRole
> cn: defaults
> description: Default sudoOption's go here
> sudoOption: syslog=auth
>
> dn: cn=root,ou=SUDOers,dc=comverse-in,dc=com
> objectClass: top
> objectClass: sudoRole
> cn: root
> sudoUser: root
> sudoUser: sysadmin
> sudoHost: ALL
> sudoRunAsUser: ALL
> sudoCommand: ALL
>
> dn: cn=%wheel,ou=SUDOers,dc=comverse-in,dc=com
> objectClass: top
> objectClass: sudoRole
> cn: %wheel
> sudoUser: %wheel
> sudoHost: ALL
> sudoRunAsUser: ALL
> sudoCommand: ALL
>
> dn: cn=operator,ou=SUDOers,dc=comverse-in,dc=com
> objectClass: top
> objectClass: sudoRole
> cn: operator
> sudoUser: operator
> sudoHost: ALL
> sudoCommand: /usr/sbin/dump
> sudoCommand: /usr/sbin/rdump
> sudoCommand: /usr/sbin/restore
> sudoCommand: /usr/sbin/rrestore
> sudoCommand: /usr/bin/mt
> sudoCommand: /usr/bin/kill
> sudoCommand: /usr/sbin/shutdown
> sudoCommand: /usr/sbin/halt
> sudoCommand: /usr/sbin/reboot
> sudoCommand: /usr/sbin/lpc
> sudoCommand: /usr/bin/lprm
> sudoCommand: sudoedit /etc/printcap
> sudoCommand: /usr/oper/bin/
>
> dn: cn=ALL,ou=SUDOers,dc=comverse-in,dc=com
> objectClass: top
> objectClass: sudoRole
> cn: ALL
> sudoUser: ALL
> sudoHost: orion
> sudoCommand: /sbin/umount /CDROM
> sudoCommand: /sbin/mount -o nosuid\
> sudoCommand: nodev /dev/cd0a /CDROM
> sudoOption: !authenticate
>
>
> On client:
> /etc/ldap.conf
> sudoers_base ou=SUDOers,dc=comverse-in,dc=com
> nss_base_passwd ou=People,dc=comverse-in,dc=com?one
> nss_base_shadow ou=People,dc=comverse-in,dc=com?one
> nss_base_group ou=Group,dc=comverse-in,dc=com?one
Please check that this is the correct configuration file, according to 'sudo -
V' output as root.
>
> /etc/pam.d/login
> #%PAM-1.0
> auth [user_unknown=ignore success=ok ignore=ignore default=bad]
> pam_securetty.so auth include system-auth
> auth required pam_securetty.so
> auth sufficient pam_ldap.so
> auth required pam_stack.so service=system-auth
> auth required pam_nologin.so
>
> account required pam_nologin.so
> account include system-auth
> account sufficient pam_ldap.so
> account required pam_stack.so service=system-auth
>
> password include system-auth
> password sufficient pam_ldap.so
> password required pam_stack.so service=system-auth
>
> # pam_selinux.so close should be the first session rule
> session required pam_selinux.so close
> session include system-auth
> session required pam_loginuid.so
> session optional pam_console.so
> # pam_selinux.so open should only be followed by sessions to be executed in
> the user context session required pam_selinux.so open
> session optional pam_keyinit.so force revoke
> session sufficient pam_ldap.so
> session required pam_stack.so service=system-auth
> session optional pam_console.so
> session required /lib/security/pam_limits.so
In most environments it is preferable to configure LDAP authentication in a
single service file that is referenced by the others, in this case
/etc/pam.d/system-auth, rather than the individual service files.
>
> /etc/nsswitch.conf
> passwd: ldap files
> shadow: ldap files
> group: ldap files
In 1.7.x you may need to add:
sudoers: files ldap
or similar to /etc/nsswitch.conf (depending on the sudo build-time
configuration, which you can see with 'sudo -V' as root).
Regards,
Buchan
===============================================================================
Please refer to http://www.aricent.com/legal/email_disclaimer.html
for important disclosures regarding this electronic communication.
===============================================================================