506945 – Can't get root level access rights from ldap

Bug 506945 - Can't get root level access rights from ldap

Summary: Can't get root level access rights from ldap

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	sudo
Sub Component:
Version:	10
Hardware:	i386
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Kopeček
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-06-19 13:00 UTC by Alex Bulatov
Modified:	2009-08-26 14:13 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-08-26 14:13:14 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Alex Bulatov 2009-06-19 13:00:55 UTC

Description of problem:

After last update does not work if sudo got information about access rights from ldap. In  ldap logs absolutely not have requests from client about sudo access for current user who try to run sudo. Client logs contain that  "user NOT in sudoers"

Version-Release number of selected component (if applicable):

1.7.1-2.fc10

How reproducible:

Try to run sudo

Steps to Reproduce:
1. Update sudo to version 1.7.1-2.fc10
2. sudo

  
Actual results:

2009-06-18T18:16:37.379646+04:00 host sudo: pam_krb5[31872]: authentication succeeds for 'user' (user)
2009-06-18T18:16:37.437684+04:00 host sudo:    user : user NOT in sudoers ; TTY=pts/11 ; PWD=/home/user/ ; USER=root ; COMMAND=/bin/ls

Comment 1 Alex Bulatov 2009-06-19 13:03:52 UTC

If downgrade sudo to 1.6.9p17-2.fc10 it component work current

Comment 2 Daniel Kopeček 2009-06-22 14:04:42 UTC

Could you please test this http://koji.fedoraproject.org/koji/taskinfo?taskID=1429435 build?

Comment 3 Dmitrij S. Kryzhevich 2009-07-03 07:19:40 UTC

The same here, but F11 x86_64. Lates-notworking - sudo-1.7.1-2.fc11.x86_64 (Koji), working - sudo-1.6.9p17-6.fc11.x86_64.

How to get those rpms from link?

Comment 4 Dmitrij S. Kryzhevich 2009-07-09 16:34:51 UTC

sudo-1.7.1-4.fc11 from Koji still not working.

Comment 5 Dmitrij S. Kryzhevich 2009-07-26 08:33:25 UTC

Any news?

Comment 6 Daniel Kopeček 2009-08-25 11:57:12 UTC

Hi, sorry for the delay. I found this entry in the 1.7.0 vs. 1.6.9 ChangeLog. It may be related to your problem:

Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify the sudoers order. E.g.:

	    sudoers: ldap files
	
to check LDAP, then /etc/sudoers. The default is files, even when LDAP support is compiled in. This differs from sudo 1.6 where LDAP was always consulted first. 

Do you have this entry in /etc/nsswitch.conf?

Comment 7 Dmitrij S. Kryzhevich 2009-08-26 13:47:58 UTC

After string "sudoers: ldap files" added to /etc/nsswitch.conf sudo-1.7.1-4.fc11.x86_64 works fine for me now.
Thank you, Daniel.

Comment 8 Alex Bulatov 2009-08-26 13:59:22 UTC

(In reply to comment #6)
> Hi, sorry for the delay. I found this entry in the 1.7.0 vs. 1.6.9 ChangeLog.
> It may be related to your problem:
> 
> Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify
> the sudoers order. E.g.:
> 
>      sudoers: ldap files
> 
> to check LDAP, then /etc/sudoers. The default is files, even when LDAP support
> is compiled in. This differs from sudo 1.6 where LDAP was always consulted
> first. 
> 
> Do you have this entry in /etc/nsswitch.conf?  

No. Don't have.
After add this entry and upgrade to sudo-1.7.1-4.fc10.i386  all works fine!

Thanks!

Note You need to log in before you can comment on or make changes to this bug.