Red Hat Bugzilla – Bug 506945
Can't get root level access rights from ldap
Last modified: 2009-08-26 10:13:14 EDT
Description of problem:
After last update does not work if sudo got information about access rights from ldap. In ldap logs absolutely not have requests from client about sudo access for current user who try to run sudo. Client logs contain that "user NOT in sudoers"
Version-Release number of selected component (if applicable):
Try to run sudo
Steps to Reproduce:
1. Update sudo to version 1.7.1-2.fc10
2009-06-18T18:16:37.379646+04:00 host sudo: pam_krb5: authentication succeeds for 'user' (user@DOMAIN.ORG)
2009-06-18T18:16:37.437684+04:00 host sudo: user : user NOT in sudoers ; TTY=pts/11 ; PWD=/home/user/ ; USER=root ; COMMAND=/bin/ls
If downgrade sudo to 1.6.9p17-2.fc10 it component work current
Could you please test this http://koji.fedoraproject.org/koji/taskinfo?taskID=1429435 build?
The same here, but F11 x86_64. Lates-notworking - sudo-1.7.1-2.fc11.x86_64 (Koji), working - sudo-1.6.9p17-6.fc11.x86_64.
How to get those rpms from link?
sudo-1.7.1-4.fc11 from Koji still not working.
Hi, sorry for the delay. I found this entry in the 1.7.0 vs. 1.6.9 ChangeLog. It may be related to your problem:
Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify the sudoers order. E.g.:
sudoers: ldap files
to check LDAP, then /etc/sudoers. The default is files, even when LDAP support is compiled in. This differs from sudo 1.6 where LDAP was always consulted first.
Do you have this entry in /etc/nsswitch.conf?
After string "sudoers: ldap files" added to /etc/nsswitch.conf sudo-1.7.1-4.fc11.x86_64 works fine for me now.
Thank you, Daniel.
(In reply to comment #6)
> Hi, sorry for the delay. I found this entry in the 1.7.0 vs. 1.6.9 ChangeLog.
> It may be related to your problem:
> Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify
> the sudoers order. E.g.:
> sudoers: ldap files
> to check LDAP, then /etc/sudoers. The default is files, even when LDAP support
> is compiled in. This differs from sudo 1.6 where LDAP was always consulted
> Do you have this entry in /etc/nsswitch.conf?
No. Don't have.
After add this entry and upgrade to sudo-1.7.1-4.fc10.i386 all works fine!