Bug 506945

Summary: Can't get root level access rights from ldap
Product: [Fedora] Fedora Reporter: Alex Bulatov <alex>
Component: sudoAssignee: Daniel Kopeček <dkopecek>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 10CC: alexandra.kossovsky, dkopecek, kryzhev, kzak, mvadkert
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-26 14:13:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alex Bulatov 2009-06-19 13:00:55 UTC
Description of problem:

After last update does not work if sudo got information about access rights from ldap. In  ldap logs absolutely not have requests from client about sudo access for current user who try to run sudo. Client logs contain that  "user NOT in sudoers"

Version-Release number of selected component (if applicable):

1.7.1-2.fc10

How reproducible:

Try to run sudo

Steps to Reproduce:
1. Update sudo to version 1.7.1-2.fc10
2. sudo

  
Actual results:

2009-06-18T18:16:37.379646+04:00 host sudo: pam_krb5[31872]: authentication succeeds for 'user' (user)
2009-06-18T18:16:37.437684+04:00 host sudo:    user : user NOT in sudoers ; TTY=pts/11 ; PWD=/home/user/ ; USER=root ; COMMAND=/bin/ls

Comment 1 Alex Bulatov 2009-06-19 13:03:52 UTC
If downgrade sudo to 1.6.9p17-2.fc10 it component work current

Comment 2 Daniel Kopeček 2009-06-22 14:04:42 UTC
Could you please test this http://koji.fedoraproject.org/koji/taskinfo?taskID=1429435 build?

Comment 3 Dmitrij S. Kryzhevich 2009-07-03 07:19:40 UTC
The same here, but F11 x86_64. Lates-notworking - sudo-1.7.1-2.fc11.x86_64 (Koji), working - sudo-1.6.9p17-6.fc11.x86_64.

How to get those rpms from link?

Comment 4 Dmitrij S. Kryzhevich 2009-07-09 16:34:51 UTC
sudo-1.7.1-4.fc11 from Koji still not working.

Comment 5 Dmitrij S. Kryzhevich 2009-07-26 08:33:25 UTC
Any news?

Comment 6 Daniel Kopeček 2009-08-25 11:57:12 UTC
Hi, sorry for the delay. I found this entry in the 1.7.0 vs. 1.6.9 ChangeLog. It may be related to your problem:

Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify the sudoers order. E.g.:

	    sudoers: ldap files
	
to check LDAP, then /etc/sudoers. The default is files, even when LDAP support is compiled in. This differs from sudo 1.6 where LDAP was always consulted first. 

Do you have this entry in /etc/nsswitch.conf?

Comment 7 Dmitrij S. Kryzhevich 2009-08-26 13:47:58 UTC
After string "sudoers: ldap files" added to /etc/nsswitch.conf sudo-1.7.1-4.fc11.x86_64 works fine for me now.
Thank you, Daniel.

Comment 8 Alex Bulatov 2009-08-26 13:59:22 UTC
(In reply to comment #6)
> Hi, sorry for the delay. I found this entry in the 1.7.0 vs. 1.6.9 ChangeLog.
> It may be related to your problem:
> 
> Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify
> the sudoers order. E.g.:
> 
>      sudoers: ldap files
> 
> to check LDAP, then /etc/sudoers. The default is files, even when LDAP support
> is compiled in. This differs from sudo 1.6 where LDAP was always consulted
> first. 
> 
> Do you have this entry in /etc/nsswitch.conf?  

No. Don't have.
After add this entry and upgrade to sudo-1.7.1-4.fc10.i386  all works fine!

Thanks!